automata and linear temporal logic: translations with...

Helsinki University of Technology Laboratory for Theoretical Computer Science

Research Reports 104

Teknillisen korkeakoulun tietojenkasittelyteorian laboratorion tutkimusraportti 104

Espoo 2006 HUT-TCS-A104

AUTOMATA AND LINEAR TEMPORAL LOGIC: TRANSLATIONS

WITH TRANSITION-BASED ACCEPTANCE

Heikki Tauriainen

AB TEKNILLINEN KORKEAKOULU

TEKNISKA HÖGSKOLAN

HELSINKI UNIVERSITY OF TECHNOLOGY

TECHNISCHE UNIVERSITÄT HELSINKI

UNIVERSITE DE TECHNOLOGIE D’HELSINKI

Helsinki University of Technology Laboratory for Theoretical Computer Science

Research Reports 104

Teknillisen korkeakoulun tietojenkasittelyteorian laboratorion tutkimusraportti 104

Espoo 2006 HUT-TCS-A104

AUTOMATA AND LINEAR TEMPORAL LOGIC: TRANSLATIONS

WITH TRANSITION-BASED ACCEPTANCE

Heikki Tauriainen

Dissertation for the degree of Doctor of Science in Technology to be presented with due permission of

the Department of Computer Science and Engineering, for public examination and debate in Auditorium

T2 at Helsinki University of Technology (Espoo, Finland) on the 27th of October, 2006, at 12 o’clock

noon.

Helsinki University of Technology

Department of Computer Science and Engineering

Laboratory for Theoretical Computer Science

Teknillinen korkeakoulu

Tietotekniikan osasto

Tietojenkasittelyteorian laboratorio

Distribution:

Helsinki University of Technology

Laboratory for Theoretical Computer Science

P.O.Box 5400

FI-02015 TKK, FINLAND

Tel. +358 9 451 1

Fax. +358 9 451 3369

E-mail: [email protected]

URL: http://www.tcs.tkk.fi/

©c Heikki Tauriainen

ISBN 951-22-8343-3

ISSN 1457-7615

Electronic Edition

September 2006

ABSTRACT: Automata theory provides powerful tools for designing and im-plementing decision procedures for temporal logics and their applications tothe automatic verification of systems against their logical specifications. Im-plementing these decision procedures by making use of automata built fromthe systems and their specifications with translation procedures is challengingin practice due to the tendency of the automata to grow easily unmanageablylarge as the size of the systems or the logical specifications increases.

This thesis develops the theory of translating propositional linear timetemporal logic (LTL) into nondeterministic automata via self-loop alternat-ing automata. Unlike nondeterministic automata, self-loop alternating au-tomata are expressively equivalent to LTL and allow a conceptually simpletranslation of LTL specifications into automata using a set of rules for build-ing automata incrementally from smaller components. The use of general-ized transition-based acceptance for automata throughout all constructionsgives rise to new optimized translation rules and facilitates designing heuris-tics for the minimization of automata by making use of language contain-ment tests combined with structural analysis of automata. The generalizeddefinition also supports the translation of self-loop alternating automata intonondeterministic automata by essentially applying the standard subset con-struction; this construction can be further simplified and optimized whenworking with automata built from LTL formulas. The translation rules canalso be used to identify a syntactic subclass of LTL for which the exponentialincrease caused by the subset construction in the number of states of the au-tomaton can always be avoided; consequently, the satisfiability problem forthis subclass, which is shown to extend related subclasses known from theliterature, is NP-complete. Additionally, the emptiness of generalized non-deterministic automata is shown to be testable without giving up generalizedtransition-based acceptance by using a new variant of the well-known nesteddepth-first search algorithm with improved worst-case resource requirements.

KEYWORDS: linear time temporal logic, alternating automata, nonde-terministic automata, transition-based acceptance, minimization, nondeter-minization, emptiness checking, nested depth-first search

TIIVISTELMA: Automaattiteorian avulla voidaan suunnitella ja toteuttaatemporaalilogiikkojen ratkaisumenetelmiä sekä näiden menetelmien sovel-lutuksia logiikoilla järjestelmistä esitettyjen oikeellisuusvaatimusten tietoko-neavusteiseen verifiointiin. Käytännössä näiden ratkaisumenetelmien toteut-taminen kääntämällä järjestelmät ja niiden oikeellisuusvaatimukset automaa-teiksi on kuitenkin haasteellista, sillä näistä automaateista tulee järjestelmientai loogisten vaatimusten koon kasvaessa helposti niin suuria, ettei niitä enäävoida käsitellä.

Tässä väitöskirjassa kehitetään lineaarisen ajan temporaalilogiikan (LTL)epädeterministisiksi automaateiksi kääntämisen teoriaa käyttämällä käännök-sen apuna vain yhden tilan silmukoita sisältäviä alternoivia automaatteja, joil-la – toisin kuin epädeterministisillä automaateilla – on sama ilmaisuvoimakuin lineaarisen ajan temporaalilogiikalla. Tätä logiikkaa voidaan kääntäänäiksi automaateiksi soveltaen yksinkertaisia sääntöjä automaattien yhdistä-miseksi vaiheittain keskenään yhä suuremmiksi automaateiksi. Käyttämälläyleistettyä siirtymäpohjaista hyväksyvyyden määritelmää automaateille kai-kissa käännöksen vaiheissa voidaan näin muodostettuja automaatteja sieven-tää uusin tavoin käyttäen apuna automaattien hyväksymien kielten välisiä si-sältyvyyssuhteita sekä automaattien rakenteellisia ominaisuuksia. Yleistetynmääritelmän ansiosta vain yhden tilan silmukoita sisältävät alternoivat au-tomaatit voidaan myös kääntää edelleen epädeterministisiksi automaateiksisoveltamalla yleisesti tunnettua osajoukkokonstruktiota lähes sellaisenaan.Tämä konstruktio voidaan edelleen tehdä yksinkertaisemmin ja tehokkaam-min LTL-kaavoista muodostetuille automaateille. Automaattikäännöksessäkäytettävien sääntöjen avulla voidaan myös erottaa lineaarisen ajan tempo-raalilogiikan syntaktinen osajoukko, jonka kaavat on mahdollista kääntää epä-deterministisiksi automaateiksi ilman, että automaattien tilojen määrä kas-vaa osajoukkokonstruktion tavoin eksponentiaalisesti. Tästä tuloksesta seu-raa, että kyseisen LTL:n osajoukon toteutuvuusongelma on NP-täydellinen.Osajoukko on samankaltaisia kirjallisuudessa aiemmin esiteltyjä osajoukko-ja aidosti laajempi. Väitöskirjassa esitetään myös, kuinka epädeterministisenautomaatin hyväksymän kielen tyhjyys voidaan tarkastaa luopumatta yleis-tetystä siirtymäpohjaisesta hyväksyvyyden määritelmästä käyttäen algoritmia,joka on uusi, huonoimman tapauksen vaatimuksiltaan tehokkaampi muun-nos tunnetusta sisäkkäisestä syvyyshakualgoritmista.

AVAINSANAT: lineaarisen ajan temporaalilogiikka, alternoivat automaatit,epädeterministiset automaatit, siirtymäpohjainen hyväksyvyys, automaattiensieventäminen, epädeterminisointi, tyhjyystarkastus, sisäkkäinen syvyyshaku

CONTENTS

Preface xi

1 Introduction 1

2 Definitions and Basic Results 112.1 Mathematical Concepts and Notation . . . . . . . . . . . . . 11

2.1.1 Sequences . . . . . . . . . . . . . . . . . . . . . . . 112.1.2 ω-Regular Expressions . . . . . . . . . . . . . . . . . 12

2.2 Propositional Linear Time Temporal Logic . . . . . . . . . . 132.2.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . 142.2.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . 142.2.3 Positive Normal Form . . . . . . . . . . . . . . . . . 16

2.3 Alternating Automata . . . . . . . . . . . . . . . . . . . . . . 182.3.1 Basic Concepts . . . . . . . . . . . . . . . . . . . . . 202.3.2 Properties of Runs of Alternating Automata . . . . . . 272.3.3 Semi-Runs . . . . . . . . . . . . . . . . . . . . . . . 312.3.4 Self-loop Alternating Automata . . . . . . . . . . . . 35

3 Basic Automaton Translation 403.1 Translation Rules . . . . . . . . . . . . . . . . . . . . . . . . 41

3.1.1 Simple Observations . . . . . . . . . . . . . . . . . . 453.2 Sizes of Components in an Automaton Built from an LTL

Formula . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503.2.1 Number of States . . . . . . . . . . . . . . . . . . . . 503.2.2 Number of Transitions . . . . . . . . . . . . . . . . . 523.2.3 Number of Acceptance Conditions . . . . . . . . . . 54

3.3 Correctness of the Translation . . . . . . . . . . . . . . . . . 543.4 Reverse Translation . . . . . . . . . . . . . . . . . . . . . . . 59

4 Nondeterminization of Self-loop Alternating Automata 684.1 Uniform Runs . . . . . . . . . . . . . . . . . . . . . . . . . . 694.2 Nondeterminization Construction . . . . . . . . . . . . . . . 74

4.2.1 Universal Subset Construction . . . . . . . . . . . . . 754.2.2 Number of States and Transitions in a Nondetermin-

istic Automaton . . . . . . . . . . . . . . . . . . . . . 794.2.3 Number of Acceptance Conditions . . . . . . . . . . 80

4.3 Automata with Acceptance Synchronized Runs . . . . . . . . 834.3.1 Acceptance Synchronicity . . . . . . . . . . . . . . . 844.3.2 A Simplified Nondeterminization Construction . . . 854.3.3 Sufficient Conditions for Acceptance Synchronization 864.3.4 Application to Translation of LTL into Nondetermin-

istic Automata . . . . . . . . . . . . . . . . . . . . . 914.4 Languages Accepted by Subautomata of a Nondeterministic

Automaton . . . . . . . . . . . . . . . . . . . . . . . . . . . 934.5 On-the-Fly Optimizations to Nondeterminization . . . . . . . 94

CONTENTS vii

4.5.1 Detecting Redundant States Using Syntactic Impli-cations . . . . . . . . . . . . . . . . . . . . . . . . . 95

4.5.2 Merging Syntactically Language-Equivalent States . . 974.6 The Subclass LTLCND . . . . . . . . . . . . . . . . . . . . . 103

4.6.1 Completion to Nondeterministic Automata . . . . . . 1034.6.2 Closure Properties of Translation Rules . . . . . . . . 1054.6.3 Definition of the Subclass . . . . . . . . . . . . . . . 1074.6.4 Relationships between Syntactic Subclasses of LTL . 1084.6.5 A Remark on Satisfiability . . . . . . . . . . . . . . . 114

5 Refining the Basic Translation Rules 1175.1 Simple Optimizations . . . . . . . . . . . . . . . . . . . . . 117

5.1.1 Subformulas with Commutative Main Connectives . 1175.1.2 Transition Guard Simplification . . . . . . . . . . . . 117

5.2 Language Containment Checking between Self-loop Alter-nating Automata . . . . . . . . . . . . . . . . . . . . . . . . 118

5.3 Rule Preprocessing Using Language Containment . . . . . . 1225.4 The ∧ Connective . . . . . . . . . . . . . . . . . . . . . . . 1235.5 Binary Temporal Connectives . . . . . . . . . . . . . . . . . 1365.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

5.6.1 Translation Example Revisited . . . . . . . . . . . . . 1465.6.2 Comparison of the Basic and the Refined Translation

Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 1475.6.3 Extension of the Subclass LTLCND . . . . . . . . . . 151

6 Removing Redundant Transitions 1566.1 Redundant Transitions and Language Containment . . . . . 1576.2 Detecting Redundant Initial Transitions by Transition Sub-

stitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1596.2.1 Redundant Transitions and Runs of an Automaton . . 1596.2.2 Transition Substitution . . . . . . . . . . . . . . . . . 1606.2.3 Substitutability and Redundant Initial Transitions of

Self-loop Automata . . . . . . . . . . . . . . . . . . . 1616.2.4 Reducing Language Containment Between Intersec-

tions of Languages to Language Emptiness . . . . . . 1676.2.5 Compatibility with Nondeterminization of Automata

Built from LTL Formulas . . . . . . . . . . . . . . . 1686.2.6 Examples . . . . . . . . . . . . . . . . . . . . . . . . 172

7 A High-Level Refined Translation Procedure 182

8 Language Emptiness Checking for Nondeterministic Automata 1858.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . 1868.2 Degeneralization . . . . . . . . . . . . . . . . . . . . . . . . 1878.3 Emptiness Checking Algorithm . . . . . . . . . . . . . . . . 190

8.3.1 Resource Requirements . . . . . . . . . . . . . . . . 1948.3.2 Correctness of the Algorithm . . . . . . . . . . . . . 1968.3.3 Compatibility with Enhancements of Classic Nested

Depth-First Search . . . . . . . . . . . . . . . . . . . 205

viii CONTENTS

9 Conclusion 209

Bibliography 215

CONTENTS ix

x CONTENTS

PREFACE

This report is the result of my postgraduate studies at the Laboratory for The-oretical Computer Science of Helsinki University of Technology. I wish tothank my advisor, Docent Keijo Heljanko, who originally introduced me intothe theory of model checking. Without the many discussions with him myapprehension of many concepts and techniques about this subject would bemuch poorer. I continue to be amazed by his wealth of ideas and his insightto see the correctness or falsehood of ideas outright without the need to jumpinto details, which can always be filled in if necessary. Indeed, countless re-sults in this work owe their inclusion directly to his insight. His commentson the numerous drafts of this constantly expanding work (and the time hesacrificed in reviewing it) are much appreciated.

I am thankful also to my supervisor, Prof. Ilkka Niemelä, for his patienceand support throughout my postgraduate studies and for letting me be amember of his research group at the Laboratory of Theoretical ComputerScience. I thank also Prof. Emeritus Leo Ojala for guiding me in the firststeps of my postgraduate studies, in particular, through his challenging andeducational seminars. I am grateful also to my colleagues Dr. Sc. (Tech.)Tommi Junttila and Dr. Sc. (Tech.) Timo Latvala for conversations and co-operation, Alexandre Duret-Lutz for discussions on explicit state languageemptiness checking algorithms and transition-based acceptance, and to Prof.Orna Kupferman and Dr. Stephan Merz for their thorough pre-examinationreviews of this work. Finally, I wish to express my deepest thanks to my par-ents, without whose tireless support and friendship I would not have had thestrength to finish this effort.

This work was supported financially by Helsinki Graduate School in Com-puter Science and Engineering (HeCSE), Academy of Finland (Projectnumbers 47754, 53695 and 211025), Finnish Funding Agency for Technol-ogy and Innovation (TEKES), Department of Computer Science and En-gineering at Helsinki University of Technology, and a personal grant fromNokia Foundation. I wish to thank these institutions for making my full-timepostgraduate studies possible.

CONTENTS xi

1 INTRODUCTION

Automata on infinite objects link the theory of reasoning about the correct-ness of finite-state reactive and concurrent systems to the design of concretedecision procedures for checking the satisfiability or validity of specificationsgiven in formal logic, and for the automatic verification of systems againstsuch specifications [Clarke and Emerson 1982a,b; Queille and Sifakis 1982;Lichtenstein and Pnueli 1985] (a task commonly known as model checking).The logical specifications define constraints on the computations of the sys-tem, which are seen as infinite trees or sequences of finite sets of truth-valuedassertions that record the internal state of the system at discrete consecutiveinstants of time. The connection between automata and logic arises fromthe classic interpretation of automata as acceptors of sequences (words) ortrees, which are in this case identified with word or tree models of formulasin the logic. For example, testing whether a system meets its specificationcan be decided by checking that no computation of the system is acceptedby a finite automaton that distinguishes exactly those computations that donot satisfy the specification from all possible computations [Vardi and Wolper1986]. Such an automaton can be obtained automatically from the logicalspecification by using a translation procedure for the logic. This generalapproach to verification has led to the introduction of a wide variety of au-tomata and corresponding translation and verification procedures designedfor capturing the expressive power of many linear and branching time logics(see, for example, [Wolper et al. 1983; Vardi and Wolper 1986; Muller et al.1988; Emerson and Jutla 1991; Emerson et al. 1993, 2001; Bernholtz et al.1994; Vardi and Wolper 1994; Vardi 1996; Kupferman et al. 2000, 2001]).

The automatic analysis of structures built from formal descriptions of sys-tems is challenging in practice, because the construction of the structures isextremely sensitive to combinatorial explosion (known as the state space ex-plosion problem; see, for example, the survey by Valmari [1998]). This sameproblem concerns also the translation of specifications into automata, and itsseverity depends on the expressiveness of the chosen specification logic. Theincreasing computational complexity of working with increasingly expressive(but still decidable) logics is reflected in automata translation procedures ascombinatorial explosion, the worst-case complexity of which can range frompolynomial to nonelementary in the length of the logical specification. Thestruggle against the combinatorial explosion, which limits the size and scopeof specifications that can be realistically handled within the resources avail-able in practice, has presented a need for translation procedures that aim toavoid the worst case behavior in as many cases as possible.

This work focuses on automata translation and verification proceduresfor specifications given as formulas of classic future-time propositional lineartime temporal logic (LTL) using special classes of alternating automata oninfinite words with generalized transition-based acceptance throughout allconstructions. The classic automata-theoretic verification procedure for LTLcan be seen as a series of translations as shown in Fig. 1.1. The connectionbetween automata and LTL, this verification procedure, and the conceptsused in it are briefly introduced below.

1. INTRODUCTION 1

LTL spec-ification

alternatingautomaton

nondeterministicautomaton

verifi-cation

system(simplification) (simplification)(simplification)

Fig. 1.1: The verification procedure for LTL as a series of translations

Background and Related Work

Logic, automata on infinite objects, and the LTL verification procedure.The connection between logics and automata on infinite objects was firstused in the 1960s by Büchi [1962] and Rabin [1969] to prove decidabil-ity results for monadic second-order theories of one and many successors,respectively (see, for example, [Thomas 1990], for a survey of the classic re-sults). In the 1980s, these automata were used to obtain decision proceduresfor modal and temporal logics of programs. Streett [1981, 1982] appliedautomata to the decision problem of extended propositional dynamic logic;Wolper et al. [1983] and Vardi and Wolper [1994] used automata-theoretictechniques for deciding linear time temporal logics based on the extendedtemporal logic of Wolper [1981, 1983]; and Emerson and Sistla [1984a,b]proposed an automata-theoretic decision procedure for the branching timetemporal logic CTL? introduced by Emerson and Halpern [1983, 1986].As a special case of their own construction for translating extended tempo-ral logic into automata [Wolper et al. 1983; Vardi and Wolper 1994], Vardiand Wolper [1986] proposed also an explicit decision and verification proce-dure for propositional linear time temporal logic [Pnueli 1977; Gabbay et al.1980; Pnueli 1981], which supports reasoning about the properties of non-terminating, nonbranching computation paths in a system using invariants,future-time assertions, and qualitative causality and fairness constraints onthe occurrence of certain states in the computations. The automata-theoreticverification procedure for this logic (Fig. 1.1) works by translating formulasin the logic in one or more intermediate steps into nondeterministic finiteω-automata, i.e., nondeterministic automata on infinite words, whose accep-tance is determined, for instance, by a set of designated states that an automa-ton should visit infinitely often when reacting to its input (a concept known asBüchi acceptance after Büchi [1962]). The automata built from formulas arethen composed with finite models of systems to compare the behavior of thesystems against the logical specifications. The automata-theoretic approachto LTL model checking stimulated active research on techniques for trans-lating LTL and related linear time logics efficiently into nondeterministicautomata [Wolper et al. 1983; Michel 1985; Vardi and Wolper 1986; de Jong1992; Vardi and Wolper 1994; Gerth et al. 1995; Couvreur 1999; Danieleet al. 1999; Somenzi and Bloem 2000; Geilen 2001; Schneider 2001; Wolper2001; Giannakopoulou and Lerda 2002; Thirioux 2002; Latvala 2003; Seba-stiani and Tonetta 2003].

Language emptiness checking and on-the-fly verification. The last stepin the verification procedure for LTL in Fig. 1.1 corresponds to checking theset intersection of the computations (i.e., the “language”) of a given system

2 1. INTRODUCTION

with computations that violate a given LTL specification for emptiness byanalyzing an automaton obtained by combining the system with a nondeter-ministic automaton built from the LTL specification. The same techniqueapplies to testing the satisfiability of the logical specification itself, in whichcase the emptiness analysis is simply done on an automaton built from thespecification.

Instead of running the steps in the verification procedure sequentially oneafter another, the verification procedure can be implemented using on-the-fly translation and emptiness checking algorithms [Courcoubetis et al. 1991,1992; Gerth et al. 1995; Couvreur 1999; Hammer et al. 2005], which allowrunning several steps of the procedure in an interleaved fashion without theneed to finish all previous phases of the procedure before proceeding to thenext one. This interleaving of the verification steps is often essential in prac-tice in trying to find a violation of the given logical specification as quickly aspossible without generating and storing all intermediate results, which mayhave prohibitively high resource requirements in the worst case. The statespace explosion problem has encouraged active research, in particular, onefficient on-the-fly search algorithms for checking the set of words acceptedby a nondeterministic ω-automaton for emptiness. Although this problemis in principle straightforward to solve using standard algorithms for detect-ing cycles in a directed graph, much effort has nevertheless been put onoptimizing the performance of these algorithms and reducing their memoryusage in practical applications. The two main lines of state-of-the-art explicitstate emptiness checking algorithms for ω-automata using Büchi acceptancecan be divided into algorithms that analyze the maximal strongly connectedcomponents of automata [Couvreur 1999; Couvreur et al. 2005; Gelden-huys and Valmari 2004, 2005; Hammer et al. 2005]—usually, by extendingand optimizing the well-known algorithm of Tarjan [1971, 1972]—and al-gorithms based on the nested depth-first search introduced by Courcoubetiset al. [1991, 1992] (see, for example, [Godefroid and Holzmann 1993; Holz-mann et al. 1997; Bošnacki 2002, 2003; Gastin et al. 2004; Tauriainen 2004,2006; Schwoon and Esparza 2005; Couvreur et al. 2005]).

Alternating automata. A useful observation on understanding the connec-tion between logics and automata was made by Muller et al. [1988], whoshowed temporal logics to be naturally translatable into subclasses of alter-nating automata [Kozen 1976; Chandra and Stockmeyer 1976; Brzozowskiand Leiss 1980; Chandra et al. 1981] instead of the combinatorially morecomplex nondeterministic automata. Alternation combines the nondeter-ministic (existential) choice for the “next” state of an automaton with uni-versal choice to allow an automaton to enter possibly several “next” statesat once while reading its input by spawning copies of itself that work inde-pendently on the rest of the input. Muller et al. [1988] demonstrated theirapproach with a translation from a branching time version of the extendedtemporal logic of Wolper [1981, 1983] to weak alternating automata [Mulleret al. 1986, 1992]. As opposed to constructions for translating logics directlyinto nondeterministic automata, the size of which may be exponential in thelength of the logical specifications, the opportunity to mix existential anduniversal choice in automata gives rise to translation procedures which yield

1. INTRODUCTION 3

automata that have linear size in the length of the specifications. This con-nection between logic and alternating automata led to the introduction ofanother line of translation procedures from LTL and its extensions into au-tomata [Isli 1994, 1996; Vardi 1994; Rohde 1997; Manna and Sipma 2000;Gastin and Oddoux 2001, 2003; Fritz 2003; Tauriainen 2003; Hammer et al.2005].

The seemingly obvious advantage of using alternating automata in placeof nondeterministic automata to avoid combinatorial explosion in verifica-tion comes with a cost, however, since the extra succinctness in represen-tation prevents working with alternating automata using the same algorith-mic techniques that apply, for example, to language emptiness checking fornondeterministic automata. This difficulty is traditionally overcome by firsttranslating alternating automata into nondeterministic ones by applying oneof the nondeterminization constructions proposed in the literature for alter-nating automata on infinite words [Miyano and Hayashi 1984a,b; Lindsay1988; Isli 1994, 1996; Rohde 1997; Gastin and Oddoux 2001; Fritz 2003;Hammer et al. 2005; Fritz 2005] or trees [Muller et al. 1986, 1992; Emer-son and Jutla 1991; Muller and Schupp 1995]. Even though the exponentialworst-case combinatorial cost of nondeterminization appears to void any ad-vantages gained by translating LTL first into alternating automata, alternatingautomata have nevertheless been argued to provide useful additional insightinto translation procedures from LTL into automata [Vardi 1995]. For ex-ample, even though nondeterministic automata are in general strictly moreexpressive than LTL, direct translation procedures from LTL into automatado not usually concern themselves with any special properties of the con-structed automata, missing a possible correspondence between LTL and asubclass of nondeterministic automata. On the other hand, similarly to theequally expressive formalisms such as the first-order theory of linear order(whose expressiveness coincides further with star-free ω-languages [Thomas1979], and counter-free ω-automata [Thomas 1981]), LTL has been shown[Rohde 1997; Löding and Thomas 2000] to be expressively equivalent to asimple subclass of alternating automata known as very weak [Isli 1994, 1996;Rohde 1997; Gastin and Oddoux 2001], linear [Löding and Thomas 2000],or linear weak [Merz and Sezgin 2003; Hammer et al. 2005] alternating au-tomata. This strong correspondence between logic and automata allows tooptimize constructions for this special class of automata with techniques thatdo not necessarily apply to the strictly more expressive nondeterministic oralternating ω-automata, whose expressiveness matches that of the monadicsecond-order theory of linear order, or, equivalently, regular ω-languages,both in the nondeterministic [Büchi 1962; McNaughton 1966] and the al-ternating case [Miyano and Hayashi 1984a,b; Lindsay 1988].

Generalized transition-based acceptance. In practice, the implementa-tion of the verification procedure shown in Fig. 1.1 involves many decisions,such as choosing definitions to be used for the underlying automata. To max-imize the efficiency of an implementation, the chosen definitions shouldfacilitate expressing the automata succinctly (say, using as few states as possi-ble) while still allowing efficient manipulation of the automata. Even simplechanges in the definitions are known to affect the opportunities for mini-

4 1. INTRODUCTION

mizing the number of states in the automata: examples include the choicebetween single or multiple initial states, and various generalizations of thenotion of acceptance. For example, instead of specifying acceptance in anautomaton using a single set of designated “accepting” states that the au-tomaton should visit infinitely often, many automata translation proceduresfor LTL define acceptance using a family of state sets, all of which shouldbe visited infinitely often to make the automaton accept its input. This no-tion of generalized Büchi acceptance was originally introduced to facilitatethe expression of simple liveness requirements—previously studied, e.g., inbranching time temporal logic verification [Clarke et al. 1983, 1986]—onthe behavior of systems modeled as synchronizing automata [Aggarwal et al.1990]. Gerth et al. [1995] later used generalized acceptance as a concep-tual aid in their translation procedure from LTL into nondeterministic au-tomata for matching syntactic properties of LTL formulas directly with setsof accepting states. Unlike previous constructions, which defined automataas tableaux of the worst-case exponential size, the on-the-fly construction ofGerth et al. [1995], which can itself be seen to be based on earlier work ontableau methods for branching [Ben-Ari et al. 1981, 1983; Clarke and Emer-son 1982a,b] and linear time [Wolper 1981, 1983; Manna and Wolper 1982,1984; Wolper 1985] logics, provided an explicit procedure for constructingonly the actually relevant part of an automaton. This feature of the construc-tion made it a popular source of many related translation procedures, fromdirect improvements to the explicit tableau construction [Daniele et al. 1999;Somenzi and Bloem 2000; Wolper 2001; Giannakopoulou and Lerda 2002;Thirioux 2002; Sebastiani and Tonetta 2003] to translations geared towards asymbolic representation of the automata [Couvreur 1999; Schneider 2001].

The multiple sets of accepting states also have a direct impact on the suc-cinctness of the representation of automata, even though the additional setsdo not add to the expressive power of the automata [Emerson and Sistla1984a,b; Courcoubetis et al. 1991, 1992]. Although still more succinct rep-resentations are possible through further generalizations of acceptance withno change in the expressiveness of the automata (see, for example, [Thomas1997], for a survey of various classic notions of acceptance), such alternativenotions have been only rarely used in the context of translating LTL intoautomata [Michel 1985; de Jong 1992].

Acceptance can also be generalized by associating it with the transitionsinstead of the states of an automaton [Couvreur 1999; Gastin and Oddoux2001; Giannakopoulou and Lerda 2002; Thirioux 2002; Tauriainen 2003].As in the case of moving from one to many acceptance sets, this simplechange in the notion of acceptance does not add to the expressiveness of theautomata due to the interreducibility of state-based and transition-based ac-ceptance (see, for example, Chapter 1 of the textbook [Perrin and Pin 2004]).However, the transition-based notion for acceptance is again more succinct:even though state-based acceptance can be reduced to transition-based ac-ceptance without adding any new states or transitions to an automaton—visiting a state infinitely often implies taking a transition leaving the stateinfinitely often—the same does not hold for the converse reduction in thegeneral case. It can thus be said that transition-based acceptance general-izes state-based acceptance (see, e.g., [Giannakopoulou and Lerda 2002] for

1. INTRODUCTION 5

LTL spec-ification

alternatingautomaton

nondeterminis-tic automaton(generalizedacceptance)

nondeterminis-

(Büchi ac-ceptance)

tic automatonverifi-cation

[Vardi and Wolper 1986]

[Gerth et al. 1995]

[Hammer et al. 2005]

[Gastin and Oddoux 2001]

[Giannakopoulou and Lerda 2002]

[Couvreur 1999]

this work

state-based acceptance

transition-based acceptance

Fig. 1.2: Differences between automata-theoretic LTL verification procedures sug-gested in the literature

examples). A similar asymmetry concerns the placement of labels, i.e., thesymbols that the automaton reads from its input, in the automata; again,replacing single symbols with sets of symbols, or placing the labels on transi-tions instead of states lead to more succinct definitions for automata.

The use of nondeterministic automata with generalized transition-basedacceptance for LTL verification was proposed by Couvreur [1999] and lateradvocated by many other authors due to its simple benefits for minimizingthe representation of automata [Gastin and Oddoux 2001; Thirioux 2002;Giannakopoulou and Lerda 2002; Duret-Lutz and Poitrenaud 2004]. Tau-riainen [2003] considered extending the transition-based approach to alter-nating automata. To take the best possible advantage of these automata inthe verification procedure, each verification step should preferably be imple-mented with algorithms that are able to work directly with this definition toavoid spending additional effort on converting between expressively equiva-lent formalisms. Surprisingly, only few constructions [Couvreur 1999; Tauri-ainen 2003; Hammer et al. 2005] strive to achieve this goal fully in practice:most other translations suggested in the literature employ additional conver-sions between formalisms to finally obtain automata with a classic Büchi ac-ceptance condition specified using a set of states. Figure 1.2 illustrates someof these conceptual differences between several automata-theoretic LTL ver-ification procedures suggested in the literature. For simplicity, we list only asingle representative reference to literature on the various approaches.

6 1. INTRODUCTION

Minimization of automata. The verification procedure for LTL has alsoraised interest in techniques for the minimization of ω-automata in generalto counter combinatorial explosion. In addition to techniques that exploitspecial structural properties of automata [Rohde 1997; Etessami and Holz-mann 2000; Somenzi and Bloem 2000; Gastin and Oddoux 2001; Thirioux2002], constructions based on various simulation relations have also beenproposed for the minimization of both nondeterministic [Etessami and Holz-mann 2000; Somenzi and Bloem 2000; Etessami et al. 2001, 2005; Etessami2002; Gurumurthy et al. 2002] and alternating automata [Fritz and Wilke2002, 2005; Fritz 2003]. On the other hand, the translation of LTL intoautomata has been improved further by making use of syntactic techniquessuch as simplifying LTL specifications by rewriting [Etessami and Holzmann2000; Somenzi and Bloem 2000; Thirioux 2002]. These optimizations ap-pear in Fig. 1.1 as the dashed loops “inside” each translation phase. Syntac-tic optimization techniques have been applied also to the translation stepsbetween phases [Daniele et al. 1999; Giannakopoulou and Lerda 2002].

Symbolic tableau procedures. In addition to the explicit automata-basedapproach to LTL verification, there exist also verification methods that per-form their task using implicit “symbolic” representations of systems and ta-bleaux built from logical specifications [Clarke et al. 1994, 1997; Kesten et al.1998]. As a matter of fact, procedures suggested for the construction of suchtableaux [Lichtenstein and Pnueli 1985, 2000; Burch et al. 1992; Kesten et al.1993; Clarke et al. 1994, 1997; Kesten et al. 1998] can easily be seen as an-other line of automata translation procedures by identifying the nodes ina tableau directly with the states of a nondeterministic automaton. How-ever, due to the implicit representation used for the connections betweentableau nodes (which can analogously be identified with transitions of a cor-responding automaton), the symbolic tableau constructions are not usuallyconcerned with questions such as the minimization of the number of nodesin the tableaux.

Extensions to other logics. Although most translation procedures fromLTL into automata—including the one that will be presented in this work—concentrate only on future time, also constructions for LTL extended withpast time connectives have been proposed in the literature, using both non-deterministic [Vardi and Wolper 1986; Ramakrishna et al. 1992b; Schnei-der 2001] and alternating automata [Manna and Sipma 2000; Kupfermanet al. 2001; Gastin and Oddoux 2003] in the translation. Extensions toother specification formalisms include constructions for branching time log-ics [Bernholtz et al. 1994; Kupferman et al. 2000], logics augmented withextended operators [Vardi 1988; Vardi and Wolper 1994; Kupferman et al.2001; Laroussinie et al. 2002; Bustan et al. 2005] or first-order quantifica-tion [Etessami 1999], the propositional µ-calculus [Emerson and Jutla 1991;Emerson et al. 1993, 2001], interval logics [Ramakrishna et al. 1992a, 1996],and temporal logics on infinite traces instead of words [Gastin et al. 1998;Bollig and Leucker 2001, 2003]. On the other hand, special constructionstargeted towards efficient automata translation of LTL safety properties havealso been proposed [Geilen 2001; Latvala 2003], together with constructions

1. INTRODUCTION 7

that aim to reduce nondeterministic choice between transitions in automata[Thirioux 2002; Sebastiani and Tonetta 2003].

Organization and Contributions of This Work

This work presents a unified approach to translating future-time LTL intoautomata and checking for the emptiness of the automata by making useof special cases of a single definition of alternating ω-automata with gener-alized transition-based acceptance throughout all constructions, advocating(as many authors before) this type of acceptance as a concept well-suited forboth understanding and implementing the verification procedure. Some ofthe presented results have previously appeared in [Tauriainen 2003, 2004,2005, 2006].

The chosen type of generalized acceptance, which combines an “inverse”interpretation of classic nongeneralized Büchi acceptance (previously usedin LTL-to-automata translation procedures by Gastin and Oddoux [2001])with the intuitive connection between multiple “acceptance conditions” andsyntactic properties of LTL formulas [Gerth et al. 1995], is used to definea translation procedure in which the introduction of new acceptance con-ditions is completely transparent. Another technique used for simplifyingthe presentation is to adopt a definition of alternating automata which sup-ports direct representation of individual transitions, which are essential, forexample, for depicting automata as traditional state graphs; the concept ofa transition is also convenient for designing and explaining simplificationtechniques for alternating automata. Similarly, a definition of runs of alter-nating automata is used that allows many standard theoretical constructionson runs of alternating automata (for example, obtaining a finite representa-tion for the “levels” of a run after uniformization; see, for example, [Mullerand Schupp 1995]) to be viewed as direct transformations on runs of alternat-ing automata. The basic definitions of infinite words, linear time temporallogic and automata are reviewed in Ch. 2. This chapter also introduces self-loop alternating automata, which can be seen as another “transition-based”version of a subclass of alternating automata known as very weak alternating[Isli 1994, 1996; Rohde 1997; Gastin and Oddoux 2001], alternating linear[Löding and Thomas 2000], or linear weak alternating [Merz and Sezgin2003; Hammer et al. 2005] automata. Throughout this work, the main con-structions used in the transformation of automata and their runs are given fullcorrectness proofs by systematically using a basic toolset of simple results onthe properties of runs of generalized alternating automata. Also this toolset islaid out in Ch. 2.

Chapter 3 reviews a basic translation procedure from LTL into self-loopalternating automata. This procedure, which is based on the application ofsimple translation rules for joining automata built for simple LTL formulasincrementally into more complex automata, is closely related to the con-struction of Gastin and Oddoux [2001] and satisfies the best known upperbounds for the sizes of components in automata corresponding to LTL for-mulas. Similarly to related constructions, however, this procedure needs ex-ponential space in the length of the formula in the worst case due to theexplicit representation of transitions. This chapter also reviews the result ofRohde [1997] and Löding and Thomas [2000] on the expressive equivalence

8 1. INTRODUCTION

of LTL and subclasses of alternating automata by presenting a reverse trans-lation from self-loop alternating automata into LTL formulas and analyzingits complexity.

Chapter 4 introduces constructions for translating self-loop alternating ω-automata into nondeterministic ω-automata, again generalizing results pre-sented by Gastin and Oddoux [2001]. Unlike alternating ω-automata ingeneral, self-loop alternating ω-automata with generalized acceptance canbe translated into nondeterministic automata using a construction that veryclosely resembles the classic subset construction of Rabin and Scott [1959]for determinizing automata on finite words. In general, however, the nonde-terministic ω-automaton may have to use a more complex form of the gen-eralized acceptance condition. This is nevertheless not necessary for a classof alternating automata that have uniform acceptance synchronized runs (anew concept introduced in Ch. 4) on all words that they recognize; in par-ticular, all automata built from LTL formulas using the translation proce-dure from Ch. 3 have this property. Moreover, the nondeterminization con-struction can be optimized further for these automata by adapting syntactictechniques known from direct translation procedures between LTL and au-tomata [Daniele et al. 1999; Giannakopoulou and Lerda 2002]. In somecases, it is possible to avoid the application of a subset construction entirelyif the formula to be translated into an automaton belongs to a special syntac-tic subclass of LTL which translates directly into alternating automata thatsupport simple completion into nondeterministic automata. This subclass,previously mentioned in the context of symbolic translation algorithms bySchneider [1999], is shown to be closely related also to the syntactic subclassLTLdet introduced by Maidl [2000a]. The satisfiability problem of formulasin this subclass of LTL is shown to be NP-complete.

Chapter 5 studies the optimization of the basic translation rules presentedin Ch. 3 by making use of language containment relationships between self-loop alternating automata. These relationships can also be used to designrefined translation rules that aim to simplify the transition structure of au-tomata built with those basic rules which are the main cause of the expo-nential worst-case space requirements in the basic translation procedure—however, sometimes with a penalty on the number of states in the con-structed automata. Some of the refined rules nevertheless prove to be ap-plicable universally as replacements of the basic translation rules without aneed to apply computationally expensive tests for language containment re-lationships. The automata built using the refined rules can still be translatedinto nondeterministic automata without changing the form of generalizedacceptance by applying optimized constructions from Ch. 4. Furthermore,the refined rules also lead to an extension of the syntactic subclass of LTLwhich translates into automata that can be completed into nondeterminis-tic automata without applying a general nondeterminization construction.The satisfiability problem for this strictly more expressive subclass remainsNP-complete.

Chapter 6 focuses on the simplification of self-loop alternating automataby making use of language containment tests to remove transitions from theautomata. The application of the presented simplification techniques andthe refined translation rules from Ch. 5 is illustrated with examples, which

1. INTRODUCTION 9

include a comparison against the translation procedure proposed by Gastinand Oddoux [2001]. The optimization techniques discussed in Ch. 5 andCh. 6 are put together in Ch. 7 into a high-level refined translation procedurefrom LTL into self-loop alternating automata.

Chapter 8 presents a new generalized version of the classic nested depth-first search algorithm of Courcoubetis et al. [1991, 1992] for checking theemptiness of nondeterministic automata with generalized transition-basedacceptance. The new algorithm improves the search algorithm’s worst-caseresource requirements, in particular, by reducing the number of additionalbits that need to be stored with every visited state (in a simple hash tablebased implementation) from linear to logarithmic in the number of general-ized acceptance conditions.

Finally, Ch. 9 concludes the work by highlighting the main results anddiscussing directions for further work.

10 1. INTRODUCTION

2 DEFINITIONS AND BASIC RESULTS

2.1 MATHEMATICAL CONCEPTS AND NOTATION

We assume basic knowledge on sets, ordered tuples, graphs, trees, relationsand functions (mappings), and the principle of mathematical induction. Wealso refer to basic concepts of computability theory (O-notation, decisionproblems, deterministic and nondeterministic decision procedures, complex-ity classes NP and PSPACE, hardness and completeness for complexityclasses) without presenting their formal definitions; see any textbook on com-putability theory (for example, [Papadimitriou 1994]) for details.

We shall work with the set of natural numbers Ndef= {0, 1, 2, . . .} extended

with an element ω /∈ N. For notational simplicity, we shall not make useof the formal theory of ordinals in this presentation; instead, we extend thestandard total ordering <⊆ N×N of the natural numbers into

(N∪ {ω}

)×(

N∪ {ω})

by defining ω to be an element that satisfies ω ≮ ω and n < ω forall n ∈ N. Comparison between elements of N ∪ {ω} will often be denotedalso by the operators =, ≤, ≥ and>with their usual semantics. Furthermore,we also extend addition on the natural numbers to (N ∪ {ω}) × (N ∪ {ω})

by defining ω + ndef= n+ ω

def= ω + ω

def= ω.

Let X and Y be sets. The sets X and Y are equipollent if and only if (iff)there exists a bijective mapping f : X → Y . If there exists a natural numbern ∈ N such that X is equipollent to the (possibly empty) set {1, 2, . . . , n} ⊆N, we say that X is a finite set of size n (denoted by |X| = n). If X isequipollent to the set of natural numbers N, we say that X is (countably)infinite and define |X| = ω. The powerset of X (denoted by 2X) is defined

as the set of all subsets of X , i.e., 2Xdef= {Y | Y ⊆ X}.

If X is a subset of another set Y , we denote by Y \ X the complement

of X with respect to Y (i.e., Y \ Xdef= {x ∈ Y | x /∈ X}). When the set

Y is clear from the context, we often denote the complement of X by theshorthand notation X .

2.1.1 Sequences

Let X be a nonempty set. A sequence (called occasionally also a word infurther discussion) x over X is a mapping x : I → X , from an index set

Idef=

{n ∈ N n < m for some m ∈ N ∪ {ω}

}to X . For all i ∈ I , x(i)

is called the (i + 1)th element of x. We may also describe x by “listing itselements” as x = (xi)i∈I = (x0, x1, x2, . . .) (more simply, x = x0x1x2 . . .)

where xidef= x(i) for all i ∈ I . We call |x|

def= |I| the length of the sequence.

For all n ∈ N∪{ω}, we denote the class of all sequences overX of length n byXn. The unique sequence in X0 is called the empty sequence over X and isdenoted by εX . Each element of X can be treated as a sequence by applying

the obvious isomorphism between X and X1. The set X∗ def=

⋃0≤i<ωX

i

is the set of all finite sequences over X ; Xω denotes the set of all infinitesequences.

Sequences can be used to define other sequences. Let x : I → X be a

2. DEFINITIONS AND BASIC RESULTS 11

sequence over X , let i ∈ I , and let 0 ≤ j ≤ |I|. The sequence x′ : I ′ → X ,

where I ′def= {n ∈ N | i ≤ n + i < j} and x′(k)

def= x(k + i) for all k ∈ I ′, is

called a subsequence (alternatively, a subword ) of x and denoted by x[i,j). Ifi = 0, then x′ is a prefix of x; if j = |I|, then x′ is called a suffix. In this casewe usually refer to x[i,j) using the simpler notation xi. Clearly, the suffix xi

is infinite iff x is infinite. Two subsequences x1 = x[i1,j1) and x2 = x[i2,j2) ofa sequence x (0 ≤ i1, i2 < |x|, 0 ≤ j1, j2 ≤ |x|) are syntactically identical(denoted x1 = x2) iff |x1| = |x2| holds, and x1(i) = x2(i) holds for all0 ≤ i < |x1|; otherwise they are syntactically distinct (x1 6= x2).

If x1 : I1 → X1 and x2 : I2 → X2 are two sequences with |x1| < ω, theconcatenation of x1 and x2 (denoted x1x2) is the sequence x :

{n ∈ N n <

|I1| + |I2|}→ X1 ∪X2 defined by

x(i)def=

{x1(i) if 0 ≤ i < |I1|x2(i− |I1|) if |I1| ≤ i < |I1| + |I2|

Because concatenation is an associative operation, i.e., because (xy)z =x(yz) holds for all sequences x, y and z (|x| < ω, |y| < ω), we usuallywrite concatenations of sequences without parentheses.

2.1.2 ω-Regular Expressions

Let X be a nonempty set (called the alphabet). We shall often describesubsets ofXω by means of ω-regular expressions over X . The set of ω-regularexpressions over X is the smallest set of finite sequences built from elementsof X and the symbols (, ), ∪, ∗, ω (not included in X) such that the setis closed under finite application of the following syntactic rules (formallydefined using concatenation of sequences; in the definition of the rules, wealso make use of an auxiliary set of r-expressions over X):

• Each element of X is an r-expression.

• If α and β are r-expressions, then (α∪β), (αβ) and α∗ are r-expressions.

• If α is an r-expression and β is an ω-regular expression, then αω and(αβ) are ω-regular expressions.

• If α and β are ω-regular expressions, then (α ∪ β) is an ω-regular ex-pression.

Each r-expression (ω-regular expression) α defines a set of finite (resp. infi-nite) nonempty words over X . We denote the set of words defined by ther-expression or ω-regular expression α by L(α) and call this set the languageof α. Formally, L(α) is defined for r-expressions and ω-regular expressions asfollows:

• L(α)def=

{x : {0} → X x(0) = α

}for all α ∈ X (i.e., the singleton

set containing the unique sequence of length 1 with α ∈ X as its firstelement);

• L((α∪β)

)def= L(α)∪L(β), where α and β are either both r-expressions

or both ω-regular expressions (the sequences that belong to either orboth of L(α) and L(β));

12 2. DEFINITIONS AND BASIC RESULTS

• L((αβ)

)def=

{xy x ∈ L(α), y ∈ L(β)

}for any r-expression α and

any r-expression or ω-regular expression β (the sequences formed byconcatenating a sequence from L(β) to a sequence in L(α));

• L(α∗)def= {εX} ∪

⋃1≤i<ω

{x1x2 . . . xi xj ∈ L(α) for all 1 ≤ j ≤ i

}

for any r-expression α (the set of sequences obtained by finite concate-nations of zero or more sequences in L(α))

• L(αω)def=

{x1x2x3 . . . xi ∈ L(α) \ {εX} for all 1 ≤ i < ω

}for any

r-expression α (the set of infinite sequences obtained by concatenatingnonempty sequences in the language of α).

Whenever the language of an ω-regular expression α is a singleton set, itis conventional to identify the ω-regular expression with the unique word inits language. In such cases we shall simply speak of the word α instead of“the unique word in the language of α”. Similarly, we can also identify anonempty finite word w : I → X (0 < |I| < ω) with an r-expression andwrite w∗ and wω to denote the languages obtained by finite (resp. infinite)concatenations of the finite word w. In addition, we simplify the general no-tation by omitting parentheses from r-expressions and ω-regular expressionswhenever possible by fixing the precedence of ∪, ∗, ω and concatenation suchthat ∗ and ω have precedence over concatenation, which has precedence over∪.

Example 2.1.1 The ω-regular expression aω represents the infinite wordformed by repeating the symbol a indefinitely, the ω-regular expression aω ∪b∗cω represents all infinite words formed either from an infinite sequenceof a’s, or a (possibly empty) finite sequence of b’s followed by an infinitesequence of c’s, and the ω-regular expression (a ∪ b ∪ c)∗(ab∗)ω representsthe language of infinite words built from the letters a, b and c such that eachword in the language contains infinitely many a’s but only finitely many c’s.

�

2.2 PROPOSITIONAL LINEAR TIME TEMPORAL LOGIC

As seen in Ex. 2.1.1, ω-regular expressions provide a means for specifyinginfinite sequences. However, the basic operations for building ω-regular ex-pressions from simpler expressions are not always very convenient for defin-ing languages in practice. For example, even though the languages defin-able using ω-regular expressions over a given alphabet are closed under theBoolean operations (union, intersection and complementation with respectto the language of all infinite words over the given alphabet) [Büchi 1962;McNaughton 1966], finding an ω-regular expression for a given Booleancombination of languages defined by simpler expressions is often difficult inpractice (especially for complementation). This difficulty of combining sim-ple expressions into more complex ones is clearly an undesirable property fora language intended for specifying infinite sequences. Popular specificationlanguages are therefore usually based on alternative formalisms. In partic-ular, languages based on formal logic support expressing Boolean combina-tions of specifications directly by using the corresponding operations in the


logic. Among the best-known such logics suggested for reasoning about thebehavior of nonterminating systems is the propositional linear time temporallogic (LTL) proposed by Pnueli [Pnueli 1977; Gabbay et al. 1980; Pnueli1981]. Although this logic formally captures only a strict subset of the se-quences specifiable using ω-regular expressions (see, for example, [Thomas1990]), the logic nevertheless covers a class of specifications that is expressiveenough for many actual verification tasks [Manna and Pnueli 1992]. In thissection, we shall review the syntax and semantics of this logic.

2.2.1 Syntax

Let AP be a countable set of atomic propositions. The set LTL(AP) ofpropositional linear time temporal logic formulas over the atomic propo-sitions AP is the smallest set of finite sequences built from elements ofAP , parentheses “(” and “)”, the symbol >, propositional connectives (oroperators) ¬, ∨, and temporal connectives (operators) X and Us such thatLTL(AP) includes {>} ∪ AP as a subset (where we assume that AP doesnot include any of the symbols listed above) and is closed under the finiteapplication of the syntactic rule

If ϕ, ψ ∈ LTL(AP), then ¬ϕ, (ϕ ∨ ψ), Xϕ, (ϕUs ψ) ∈ LTL(AP).

A subformula of a formula ϕ ∈ LTL(AP) is a subsequence of ϕ that belongsto LTL(AP). The collection of all syntactically distinct subformulas of ϕ isdenoted by Sub(ϕ). It is easy to check (by induction on the length of ϕ) that|Sub(ϕ)| ≤ |ϕ| holds for all ϕ ∈ LTL(AP).

The formula ϕ ∈ LTL(AP) is called a literal iff ϕ = p or ϕ = ¬pholds for some atomic proposition p ∈ AP ; literals and the symbol > arecalled atomic formulas. If ϕ /∈ {>} ∪ AP holds (i.e., ϕ = ◦ϕ1 for ◦ ∈{¬,X}, or ϕ = (ϕ1 ◦ ϕ2), where ◦ ∈ {∨,Us}, and ϕ1, ϕ2 ∈ LTL(AP)),ϕ is called a compound formula with main connective ◦, and ϕ1 and ϕ2

are the top-level subformulas of ϕ. The arity of a compound formula andits main connective is the number of top-level subformulas in the formula;formulas (connectives) of arity 1 and 2 are called unary and binary formulas(connectives), respectively.

A formula ϕ ∈ LTL(AP) that does not contain any temporal connectivesis called a propositional (or Boolean) formula, otherwise it is a temporalformula; the set of all propositional formulas over the atomic propositionsAP is denoted by PL(AP). The formula ϕ is called a pure temporal formulaiff ϕ = Xϕ1 or ϕ = (ϕ1 Us ϕ2) holds for some ϕ1, ϕ2 ∈ LTL(AP). We definethe set Temp(ϕ) as the maximal subset of Sub(ϕ) which contains only puretemporal formulas.

2.2.2 Semantics

Basic operatorsLinear time temporal logic formulas are interpreted over infinite sequencesof sets of atomic propositions chosen from AP , i.e., elements of the power-set 2AP of AP . The semantics of linear time temporal logic in an infinitesequence w ∈ (2AP)ω of subsets of AP is defined inductively using a binaryrelation |= as follows:


• w |= >.

• If p ∈ AP , then w |= p iff p ∈ w(0).

• w |= ¬ϕ iff w |= ϕ does not hold (denoted also by w 6|= ϕ).

• w |= (ϕ ∨ ψ) iff w |= ϕ or w |= ψ.

• w |= Xϕ iff w1 |= ϕ. [Next time]

• w |= (ϕUs ψ) iff there exists an index 0 ≤ i < ω such that wi |= ψholds, and wj |= ϕ holds for all 0 ≤ j < i. [Strong Until]

We say that w ∈ (2AP)ω satisfies (alternatively, is a model of) the formula

ϕ ∈ LTL(AP) iff w |= ϕ holds. The set L(ϕ)def=

{w ∈ (2AP)ω w |= ϕ

}

of all models of ϕ is called the language of ϕ. The formula ϕ is satisfiableif L(ϕ) 6= ∅ holds and unsatisfiable otherwise. The formula ϕ is valid iff¬ϕ is unsatisfiable. For all formulas ϕ1, ϕ2 ∈ LTL(AP), it is clear from thedefinition of the semantics that L

((ϕ1 ∨ ϕ2)

)= L(ϕ1) ∪ L(ϕ2), and the

complement L(ϕ1)def= (2AP)ω \ L(ϕ1) of the language of ϕ1 with respect to

(2AP)ω equals L(¬ϕ1). For a pair of formulas ϕ, ψ ∈ LTL(AP), we writeϕ ≡ ψ as a shorthand for L(ϕ) = L(ψ); in this case we say that ϕ and ψare logically equivalent. Clearly, two syntactically identical LTL formulasare always logically equivalent, but the converse does not hold in general (forexample, ϕ ≡ ¬¬ϕ holds for all formulas ϕ ∈ LTL(AP), but ϕ 6= ¬¬ϕ).If ϕ ∈ LTL(AP) is an LTL formula with a subformula ψ ∈ Sub(ϕ), thenit is easy to check from the semantics of propositional linear time temporallogic that ϕ′ ≡ ϕ holds for the formula ϕ′ ∈ LTL(AP) obtained from ϕ bysubstituting a formula ψ′ ∈ LTL(AP) for any occurrence of the subformulaψ in ϕ whenever ψ′ ≡ ψ holds.

If ϕ ∈ PL(AP), we project the satisfaction relation from infinite se-quences in (2AP)ω to subsets of AP and use the traditional notation σ |= ϕ(σ ⊆ AP ) for propositional satisfiability. (Formally, using the above def-inition, σ |= ϕ is equivalent to the statement that w |= ϕ holds for allw ∈ (2AP)ω with w(0) = σ.)

Derived operatorsThe set of linear time temporal logic formulas is often extended by introduc-ing derived constants or connectives expressible in terms of the basic con-stants and connectives > (“true”), ¬ (negation), ∨ (disjunction), X (NextTime) and Us (Strong Until). The derived connectives allow more flex-ible expression of LTL properties without changing the expressiveness ofthe logic. Standard extensions include the Boolean constant ⊥ (“false”:

⊥def

≡ ¬>), the propositional connectives ∧ (conjunction: (ϕ1 ∧ ϕ2)def

≡

¬(¬ϕ1 ∨ ¬ϕ2)), → (implication: (ϕ1 → ϕ2)def

≡ (¬ϕ1 ∨ ϕ2)), ↔ (equiva-

lence1: (ϕ1 ↔ ϕ2)def

≡((ϕ1 → ϕ2) ∧ (ϕ2 → ϕ1)

)) and ⊕ (exclusive dis-

junction: (ϕ1 ⊕ ϕ2)def

≡ ¬(ϕ1 ↔ ϕ2)) as well as temporal connectives suchas

1Although ≡ and ↔ both capture logical equivalence between formulas, we do not con-sider the operator ≡ to be part of the (extended) syntax of the logic. This operator will bemainly used for separating different steps in derivations of logically equivalent LTL formulas.


• F: w |= Fϕ iff w |= (>Us ϕ). [Finally]

• G: w |= Gϕ iff w |= ¬F¬ϕ. [Globally]

• Uw: w |= (ϕUw ψ) iff w |=(Gϕ ∨ (ϕUs ψ)

). [Weak Until]

• Rw: w |= (ϕRw ψ) iff w |= ¬(¬ϕUs ¬ψ), [Weak Release]equivalently, iff w |=

(ψ Uw (ϕ ∧ ψ)

).

• Rs: w |= (ϕRs ψ) iff w |= ¬(¬ϕUw ¬ψ), [Strong Release]equivalently, iff w |=

(ψ Us (ϕ ∧ ψ)

).

The sets of propositional and temporal formulas are extended in the obviousway. We also extend the satisfaction relation |= to disjunctions and conjunc-tions over sets of LTL formulas in the traditional way: for any finite subsetΦ ⊆ LTL(AP) and any w ∈ (2AP)ω, w |=

∨ϕ∈Φ ϕ (w |=

∧ϕ∈Φ ϕ) holds

iff w |= ϕ holds for some (for all) ϕ ∈ Φ. (By convention, w 6|=∨ϕ∈∅ ϕ

and w |=∧ϕ∈∅ ϕ hold for all w ∈ (2AP)ω.) For convenience, we shall oc-

casionally abuse the notation∨ϕ∈Φ ϕ and

∧ϕ∈Φ ϕ to denote any (arbitrarily

parenthesized) LTL formula formed by joining the elements in the set of for-mulas Φ ⊆ LTL(AP) in some order with either the ∨ or the ∧ connective,respectively. (By the commutativity and associativity of these connectives,all such formulas are logically equivalent.) For example, this notation can beused to define conjunctive and disjunctive normal forms of propositional for-mulas as formulas of the form

∧1≤i≤n

∨1≤j≤mi

ì,j and∨

1≤i≤n

∧1≤j≤mi

ì,j,respectively, where ì,j is a literal (i.e., ì,j ∈ {p,¬p} for some p ∈ AP ) forall 1 ≤ i ≤ n and 1 ≤ j ≤ mi (0 ≤ n < ω, 0 ≤ mi < ω for all 1 ≤ i ≤ n).

In this work, we assume all LTL formulas to be written using atomicpropositions, Boolean constants > and ⊥, and the (extended) set of connec-tives {¬,∨,∧,X,Us,Uw,Rs, Rw}. All other connectives are assumed to besubstituted with their definitions. The subscripts s and w used in the U andR connectives denote the strength of the connectives; a formula having oneof these connectives as its main connective is called a strong (s) or weak (w)temporal eventuality, respectively. The subscripts will sometimes be omittedif the strength of a connective is not relevant in the context.

The models of the temporal eventualities are infinite sequences over 2AP

that have an infinite suffix satisfying a designated top-level subformula (orboth top-level subformulas) of the eventuality. The strong temporal even-tualities (Us and Rs) require the existence of such a suffix unconditionally;their weak variants relax this requirement by permitting models in which an-other top-level subformula (determined by the type of the connective) holdsthroughout the entire sequence.2 In our notation, Us and Rw correspond tothe traditional Until and Release connectives commonly used in the litera-ture (see, for example, [Clarke et al. 1999]).

2.2.3 Positive Normal Form

We shall present most of our constructions involving LTL formulas using asyntactically restricted subset of LTL formulas in which the use of negation

2For this reason, weak temporal eventualities are sometimes referred to as invarianceproperties in the literature.


Table 2.1: LTL operators and their duals

◦ ∨ ∧ Us Uw Rs Rw

◦ ∧ ∨ Rw Rs Uw Us

is allowed only immediately before atomic propositions. Formally, we definethis set LTLPNF(AP) of LTL formulas (over a set AP of atomic propositions)in positive normal form as

LTLPNF(AP)def=

{ϕ ∈ LTL(AP) for all 0 ≤ i < |ϕ| − 1 :

if ϕ(i) = ¬, then ϕ(i+ 1) ∈ AP}

.

The restriction to LTLPNF(AP) does not reduce the expressive power ofthe logic when using the extended set of LTL operators fixed above: anyformula ϕ ∈ LTL(AP) can be written as a logically equivalent LTL formula[ϕ]PNF in positive normal form defined recursively as follows:

[ϕ]PNF def= ϕ if ϕ is an atomic formula

[¬>]PNF def= ⊥

[¬⊥]PNF def= >

[¬¬ϕ1]PNF def

= [ϕ1]PNF

[Xϕ1]PNF def

= X[ϕ1]PNF

[¬Xϕ1]PNF def

= X[¬ϕ1]PNF

[(ϕ1 ◦ ϕ2)

]PNF def=

([ϕ1]

PNF ◦ [ϕ2]PNF

)[¬(ϕ1 ◦ ϕ2)

]PNF def=

([¬ϕ1]

PNF ◦ [¬ϕ2]PNF

)

where ϕ1, ϕ2 ∈ LTL(AP) are the top-level subformulas of ϕ if ϕ is a com-pound formula, ◦ ∈ {∨,∧,Us,Uw,Rs,Rw}, and ◦ is the dual operator of ◦defined as shown in Table 2.1.

It is easy to check (by induction on |ϕ|) that [ϕ]PNF is in positive normalform. Similarly, [ϕ]PNF ≡ ϕ holds since each case in the definition of [ϕ]PNF

is based on some LTL identity (in particular, the “generalized” De Morganlaw ¬(ϕ1 ◦ ϕ2) ≡ (¬ϕ1 ◦ ¬ϕ2) holds for all ϕ1, ϕ2 ∈ LTL(AP) and ◦ ∈{∨,∧,Us,Uw,Rs,Rw}). Furthermore, it is easy to see that [ϕPNF] < 2 · |ϕ|holds, and thus Sub

([ϕ]PNF

)≤ [ϕPNF] < 2 · |ϕ|. Similarly, because

the number of temporal operators in [ϕ]PNF is always equal to their numberin ϕ (as is again easily checked from the recursive definition), [ϕ]PNF hasat most twice as many syntactically distinct pure temporal subformulas as ϕ(each pure temporal subformula of [ϕ]PNF either equals [ψ]PNF or [¬ψ]PNF

for some ψ ∈ Temp(ϕ)).

Example 2.2.1 We find the positive normal form of the LTL formula

ϕdef= ¬

(((¬p1 Rw p2) ∧ ¬(⊥Rw ¬p1)

)∧ Xp2

)∈ LTL

({p1, p2}

).


Applying the recursive definition, we get

[ϕ]PNF =[¬(((¬p1 Rw p2) ∧ ¬(⊥Rw ¬p1)) ∧ Xp2

)]PNF

=([¬((¬p1 Rw p2) ∧ ¬(⊥Rw ¬p1))

]PNF∨ [¬Xp2]

PNF)

=((

[¬(¬p1 Rw p2)]PNF ∨ [¬¬(⊥Rw ¬p1)]

PNF)∨ X[¬p2]

PNF)

=((

([¬¬p1]PNF Us [¬p2]

PNF) ∨ [(⊥Rw ¬p1)]PNF

)∨ X¬p2

)

=((

([p1]PNF

Us ¬p2) ∨ ([⊥]PNFRw [¬p1]

PNF))∨ X¬p2

)

=((

(p1 Us ¬p2) ∨ (⊥Rw ¬p1))∨ X¬p2

).

�

For all formulas ϕ ∈ LTLPNF(AP), we define the node size of ϕ (denotedby NSize(ϕ)) and the set of node subformulas of ϕ (NSub(ϕ)) as follows:

NSize(ϕ)def= 1 +

{0 ϕ atomic∑

ψ∈{ψ′∈Sub(ϕ)|ψ′ top-level} NSize(ψ) otherwise

NSub(ϕ)def= {ϕ} ∪

{∅ ϕ atomic⋃ψ∈{ψ′∈Sub(ϕ)|ψ′ top-level} NSub(ψ) otherwise

Informally, NSize(ϕ) corresponds to the number of nodes in a nonempty la-beled tree (labeled with subformulas of ϕ ∈ LTLPNF(AP)) such that the rootof the tree is labeled with ϕ itself, and each node labeled with a non-atomicsubformula ψ ∈ Sub(ϕ) has one or two children labeled with ψ’s top-levelsubformulas. The set NSub(ϕ) ⊆ Sub(ϕ) can then be identified as the set ofsyntactically distinct node labels occurring in the tree (alternatively, the setof nodes in a directed acyclic graph obtained from the tree by merging nodeswith identical labels). Because ϕ is in positive normal form, no internal nodeof the tree (i.e., a node with at least one child node) is labeled with a formulaof the form ¬ψ.

Clearly, NSize(ϕ) ≤ |ϕ| holds for all ϕ ∈ LTLPNF(AP), and for an arbi-trary LTL formula ϕ ∈ LTL(AP),

NSub([ϕ]PNF

)≤ NSize

([ϕ]PNF

)≤ [ϕPNF] < 2 · |ϕ|.

NSize(ϕ) and NSub(ϕ) will be useful for analyzing constructions involvingLTL formulas in positive normal form.

Example 2.2.2 Figure 2.1 shows the labeled tree representation of the LTLformula

ψdef=

(((p1 Us ¬p2) ∨ (⊥Rw ¬p1)

)∨ X¬p2

)∈ LTLPNF

({p1, p2}

)

defined in the previous example. From the tree representation it is easy toverify that NSize(ψ) = 10, and |NSub(ψ)|=

{ψ,

((p1Us¬p2) ∨ (⊥Rw¬p1)

),

(p1Us¬p2), p1,¬p2, (⊥Rw¬p1),⊥,¬p1,X¬p2

}= 9. �

2.3 ALTERNATING AUTOMATA

As a third formalism for characterizing sets of infinite words we consider fi-nite automata, i.e., finite state machines that are able to recognize words


``

(p1 Us ¬p2) ∨ (⊥Rw ¬p1)´

∨ X¬p2

´

`

(p1 Us ¬p2) ∨ (⊥ Rw ¬p1)´

X¬p2

(p1 Us ¬p2) (⊥ Rw ¬p1)

p1

¬p2

¬p2 ⊥ ¬p1

1

1111

2

33

7

10

Fig. 2.1: The LTL formula((

(p1 Us ¬p2) ∨ (⊥Rw ¬p1))∨ X¬p2

)as a labeled tree.

The number beside a node corresponds to the value of NSize(ψ) for the LTL for-mula ψ labeling the node

by reducing a given property of a word into a property of a state sequencegenerated by the machine when given the word as input. The automatongenerates this state sequence by examining the word one symbol at a time,choosing the next state to be generated from a finite (possibly empty) set of al-ternatives determined by the most recently generated state and the next sym-bol in the input. The concept of mixing this nondeterministic (existential)choice between several alternatives with universal choice for the next stateto be generated (intuitively, choosing multiple “next” states at once) was firstproposed for finite automata working on finite words by Kozen [1976] andChandra and Stockmeyer [1976], who defined the expressively equal notionsof parallel and alternating finite automata, respectively (and later combinedtheir work in [Chandra et al. 1981]). The Boolean automata of Brzozowskiand Leiss [1980] provide another equivalent way to combine existential anduniversal behavior in finite automata. This concept of alternation was laterextended to automata working on infinite words and trees by Miyano andHayashi [1984a,b] and Muller and Schupp [1985, 1987], respectively. Un-like a nondeterministic automaton, which always generates at most one nextstate at each step when working on its input, an alternating automaton can atany step generate multiple “next” states at once and spawn copies of itself thatwork independently on the remaining input. Thus, instead of mapping its in-put to a single state sequence, an alternating automaton may generate a col-lection of such sequences: whether the automaton recognizes (“accepts”) itsinput is then determined from the properties of this collection of sequences.

In the case of finite words, alternation allows for a succinct representationof “acceptable” sequences that does not add to the expressiveness of plainnondeterministic automata: for every alternating automaton accepting a setof finite words using n states, there exists a nondeterministic automaton thataccepts the same set of words. The nondeterministic automaton may havean exponential number of states in n in the worst case, however, because theminimal deterministic automaton simulating an alternating one may havea doubly exponential number of states in n in the worst case [Kozen 1976;Chandra and Stockmeyer 1976; Brzozowski and Leiss 1980; Chandra et al.1981; Leiss 1981]. An analogous correspondence holds between classes ofalternating and nondeterministic automata on infinite words under manynotions of acceptance [Miyano and Hayashi 1984a,b; Lindsay 1988; Mullerand Schupp 1995]. Together with the expressive power of automata (whichcan be made to coincide with that of the ω-regular expressions by using an


appropriate notion for acceptance [Büchi 1962; McNaughton 1966]) and thesuitability of automata for algorithmic analysis in general, the succinctness ofalternating automata provides the main motivation for applying them to thespecification and automatic verification of properties of infinite sequences.In this section, we review the basic definitions and properties of alternatingautomata on infinite words and some subclasses of the automata.

2.3.1 Basic Concepts

The combination of existential and universal choice between states of al-ternating automata can be captured by encoding the transitions of the au-tomata as arbitrary Boolean functions (formulas) on the states of the au-tomata [Kozen 1976; Chandra and Stockmeyer 1976; Brzozowski and Leiss1980; Chandra et al. 1981]; however, it is common to restrict the use of nega-tion [Chandra and Stockmeyer 1976] especially when working with infiniteinputs [Muller and Schupp 1985, 1987; Vardi 1994]. Although the Booleanrepresentation is convenient for proving many fundamental properties of al-ternating automata, such as their eligibility to an elegant complementationconstruction based on syntactic manipulation of the Boolean functions and“dualization” of the notion of acceptance [Muller and Schupp 1985, 1987],the notion of a single transition is not always explicit in the Boolean repre-sentation. Such a notion is nevertheless useful, for example, for representingautomata graphically as traditional state graphs. As we shall see later in Ch. 6,an explicit representation for the transitions is also convenient for the simpli-fication of the automata. For these reasons, we adopt a definition similarto the one used previously by Gastin and Oddoux [2001]; in this definition,the individual transitions leaving a state correspond to the disjuncts in thedisjunctive normal form of a corresponding Boolean function built from theBoolean constants, the states of the automaton and the ∨ and the ∧ connec-tives.

Formally, an alternating automaton is a tuple A=〈Σ, Q,∆, qI ,F〉, whereΣ is a finite set called the alphabet, Q is the finite set of states, qI ∈ Q is theinitial state, ∆ ⊆ Q × 2Σ × 2F × 2Q is the transition relation and F is thefinite set of acceptance conditions.

Individual elements in the transition relation ∆ are called transitions ofthe automaton. The components of a transition t = 〈q,Γ, F,Q′〉 ∈ ∆ (forsome q ∈ Q, Γ ⊆ Σ, F ⊆ F , Q′ ⊆ Q) are called the source state, theguard, the acceptance conditions, and the target states of t, respectively. Thetransition t is an initial transition of A iff the source state of t is the initialstate of the automaton A (q = qI), a self-loop iff it includes its own sourcestate in its target states (q ∈ Q′), and (for an acceptance condition f ∈ F )an f -transition iff it includes the condition f in its acceptance conditions(f ∈ F ). A state q′ ∈ Q is an f -state iff it is the source state of an f -transitionin A.

The well-known class of nondeterministic finite automata arises as a spe-cial case of alternating automata in which |Q′| = 1 holds for every transition〈q,Γ, F,Q′〉 ∈ ∆. In other words, an alternating automaton is nondeter-ministic iff its every transition has exactly one target state. Many questionsabout properties of nondeterministic automata can be answered using graph-


{a}

{b, c}{a}

{a, c}

{c}

{b}

{a, d}{b}

{b, d}

{d}q1

q2

q3

q4

q5{a, c}

{c}

{b}

{a, d}

{b, d}

q4

q5

(a) (b)

Fig. 2.2: (a) The alternating automaton A =⟨{a, b, c, d}, {q1 , q2, q3, q4, q5},{⟨

q1,{a},∅,{q2, q4}⟩,⟨q1,{d},∅,∅

⟩,⟨q2,{b},∅,{q1}

⟩,⟨q2,{b, c},∅,{q3}

⟩,⟨q3,{a},∅,{q2}

⟩,⟨

q4,{a, d},{•}, {q4}⟩,

⟨q4,{b},{•},{q4, q5}

⟩,

⟨q4,{c},∅,{q4}

⟩,

⟨q5,{a, c},{◦},{q5}

⟩,

⟨q5,

{b, d},∅,{q5}⟩}, q1, {•, ◦}

⟩;

(b) The subautomaton Aq4 =⟨{a, b, c, d}, {q4 , q5},

{⟨q4,{a, d},{•},{q4}

⟩,⟨q4,{b},

{•},{q4, q5}⟩,⟨q4,{c},∅,{q4}

⟩,⟨q5,{a, c},{◦},{q5}

⟩,⟨q5,{b, d},∅,{q5}

⟩}, q4, {•, ◦}

⟩

theoretic decision procedures. We shall discuss the construction and analysisof such automata in Ch. 4 and Ch. 8.

Example 2.3.1 We illustrate our conventions for drawing alternating au-tomata in Fig. 2.2 (a). The states of the automata are drawn as circles (withthe initial state of the automaton marked by a small arrowhead), and thetransitions of the automata are represented by sets of arrows connecting thecircles. We occasionally omit the labels of the states if they are not relevant inthe context. For each transition 〈q,Γ, F,Q′〉 ∈ ∆ with a nonempty set of tar-get states (i.e., if |Q′| = n holds for some 1 ≤ n < ω), we draw n arrows fromthe state q to each state in Q′. It is also permissible for a transition to haveno target states (in which case Q′ = ∅ holds): every such transition (suchas the transition with guard {d} starting from the state qI in Fig. 2.2 (a))is represented with a single arrow connected only to the transition’s sourcestate. Arrows associated with the same transition are drawn in the same linestyle; since the source of each transition is unique, the same line styles canbe reused in each state of the automaton without ambiguity as far as thecorrespondence between arrows and transitions is concerned. Acceptanceconditions in F are represented by small shaded circles on the transition ar-rows; each different shade corresponds to a different acceptance condition.To simplify the figures, we usually place the transition guards near only oneof the arrows associated with a particular transition. We nevertheless repeatthe acceptance conditions of the transition on each of these arrows. �

Successors, Paths, Descendants and SubautomataLet A = 〈Σ, Q,∆, qI ,F〉 be an alternating automaton, and let q ∈ Q. Astate q′ ∈ Q is a successor of q if there exists a transition 〈q,Γ, F,Q′〉 ∈ ∆such that q′ ∈ Q′. A path in A is a nonempty sequence x = (qi)0≤i<n ∈ Qn,where 1 ≤ n ≤ ω, and qi is a successor of qi−1 for all 1 ≤ i < n. If n = 1, thepath is trivial ; if n < ω, the path is a finite path from q0 to qn−1; otherwisethe path is infinite. The length of the path is the length of the sequence x,i.e., the number of states in the sequence. The path visits the state q ∈ Q iffqi = q holds for some 0 ≤ i < n. The path is simple iff qi 6= qj holds for all


0 ≤ i, j < n (i 6= j), and it is a loop (alternatively, a cycle) iff it is a finitenontrivial path with qn−1 = q0. The cycle is simple iff (q0, q1, . . . , qn−2) isa simple path. We reuse the terminology introduced for the transitions of Aand call a loop of length 2 a self-loop. (A self-loop transition always defines apath that is a self-loop, but the converse does not hold in the general case.)A state q′ ∈ Q is a descendant of q ∈ Q iff there exists a finite nontrivial pathfrom q to q′ in the automaton; in this case we also say that q′ is reachablefrom q in A.

Let t1 = 〈q1,Γ1, F1, Q′1〉 ∈ ∆ and t2 = 〈q2,Γ2, F2, Q

′2〉 ∈ ∆ be two

transitions of A. The transition t2 is consecutive to the transition t1 iff thesource state of t2 is a target state of t1 (i.e., iff q2 ∈ Q′

1 holds). A transitionchain is a (possibly empty) sequence of transitions (ti)0≤i<n ∈ ∆n (0 ≤ n ≤ω) such that ti is consecutive to ti−1 for all 1 ≤ i < n. We say that thechain is maximal if the chain cannot be concatenated with a transition (ineither order) to obtain another chain of transitions. Analogously to paths, thelength of the chain is the number of transitions (n) in the chain, the chainis finite if n < ω and infinite otherwise, the chain visits a state q ∈ Q iff q isthe source state of ti for some 0 ≤ i < n, and it is simple iff ti 6= tj holds forall 0 ≤ i, j < n (i 6= j).

Example 2.3.2 In Fig. 2.2 (a), the successors of q1 are the states q2 and q4; the

descendants of q1 include also the states q3 and q5, because x1def= (q1, q2, q3)

and x2def= (q1, q4, q5, q5) are finite nontrivial paths (of lengths 3 and 4) from q1

to q3 and q5, respectively. Because x1 does not visit any of the states q1, q2 or q3twice, x1 is simple; this does not hold, however, for the path x2 that includes

a self-loop (q5, q5) from q5 to itself. The path x3def= (q2, q3, q2, q3, q2, q3, . . .)

is an infinite path that begins with a cycle (q2, q3, q2) that is not a self-loop.

The infinite transition chain ydef=

(⟨q1, {a}, ∅, {q2, q4}

⟩,⟨q4, {c}, ∅, {q4}

⟩,⟨

q4, {c}, ∅, {q4}⟩,⟨q4, {c}, ∅, {q4}

⟩, . . .

)visits the states q1 and q4. �

Let q ∈ Q be a state in the automaton A. The subautomaton of A withinitial state q (denoted Aq) is the alternating automaton obtained from Aby changing its initial state to q, removing all states that are different fromq but that are not descendants of q from the resulting automaton and re-stricting the transition relation ∆ to the remaining set of states. The sub-automaton shares its set of acceptance conditions with the original automa-

ton. We also say that Aq is rooted at the state q ∈ Q. Formally, Aq def=

〈Σ, Qq,∆q, qqI ,Fq〉, where Qq def

= {q} ∪ {q′ ∈ Q | q′ is a descendant of q},

∆q def=

{〈q′,Γ, F,Q′〉 ∈ ∆ {q′} ∪Q′ ⊆ Qq

}, qqI

def= q, and F q def

= F . It is easyto see that if Aq is a subautomaton of A and q′ ∈ Qq, then (Aq)q

′= Aq′, i.e.,

each subautomaton of Aq is also a subautomaton of A.When taking subautomata of alternating automata, we sometimes also

project the acceptance conditions of A into another given set of acceptanceconditions F ′. Formally, for a set F ′, we denote by Aq,F ′

the automaton

〈Σ, Qq,∆q,F ′, qqI ,F

′〉, where Qq and qqI are defined as above, and ∆q,F ′ def={

〈q′,Γ, F ∩ F ′, Q′〉〈q′,Γ, F,Q′〉 ∈ ∆, {q′} ∪Q′ ⊆ Qq}

.

Example 2.3.3 Figure 2.2 (b) shows the subautomaton Aq4 obtained fromthe automaton A depicted in Fig. 2.2 (a). �


RunsA run of an alternating automaton A = 〈Σ, Q,∆, qI ,F〉 on an infinite wordw ∈ Σω is a directed labeled acyclic graph (DAG) G = 〈V,E, L〉, wherethe set of nodes V , the set of (hyper)edges E and the labeling function L :V ∪ E → Q ∪ ∆ satisfy the following conditions (for X ⊆ V ∪ E, we writeL(X) as a shorthand for {L(x) | x ∈ X}):

• The set of nodes V can be partitioned into finite pairwise disjoint levelsVi ⊆ V (i.e., V =

⋃0≤i<ω Vi, Vi ∩ Vj 6= ∅ for all 0 ≤ i, j < ω, i 6= j)

such that V0 = {v0} is a singleton, and E ⊆⋃

0≤i<ω(Vi × 2Vi+1).[Partitioning to levels]

• For all v ∈ V , there exists a unique edge 〈v, V ′〉 ∈ E.[Forward causality]

• For all v′ ∈ V \ V0, there exists an edge 〈v, V ′〉 ∈ E such that v′ ∈ V ′.[Backward causality]

• L(v0) = qI , and for all 0 ≤ i < ω and e = 〈v, V ′〉 ∈ E ∩ (Vi × 2Vi+1),there exists a transition t = 〈q,Γ, F,Q′〉 ∈ ∆ such that L(e) = t,L(v) = q, w(i) ∈ Γ, and L(V ′) = Q′. [Consistency of labeling]

Let e = 〈v, V ′〉 ∈ E. Reusing the terminology defined for alternatingautomata, we call each element v′ ∈ V ′ a successor of v; source and targetnodes of edges, descendants of a node, paths in a run, consecutive edges, andchains and maximal chains of edges are defined in the obvious way.

Graph- vs. tree-based runs. Note that, although every individual level of arun is required to be finite, we do not require the maximum number of nodesin a level of a run to be finitely bounded. Therefore, the above graph-baseddefinition of runs subsumes (but is no more general than) the more commondefinition of runs as finitely branching labeled trees (see, for example, [Vardi1995]) in which the partitioning and backward causality properties follow im-plicitly from the properties of trees. The graph-based definition is convenientfor expressing results on runs simply as transformations between runs withouta need to introduce additional concepts such as “run DAGs” (as often usedin the literature [Isli 1994, 1996; Kupferman and Vardi 1997, 2001]).

Example 2.3.4 Figure 2.3 illustrates the construction of the first few levelsof (one possible) run for the alternating automaton in Fig. 2.2 (a) on aninput word that begins with the symbols acabacababdcd . Again, we representnodes of the run with circles and edges with (sets) of arrows connecting thenodes; we first draw the node corresponding to the level V0 of the run (theleftmost node in the figure) and label this node with the initial state q1 of theautomaton. On the first input symbol a, the automaton spawns two copies ofitself that then process the next symbol of the input, starting from the statesq2 and q4, respectively. The spawning of the two copies is represented bydrawing arrows from the node labeled with the state q1 to two new nodeslabeled with these states in the figure; these nodes form level V1 of the run.Nodes on the same level are always drawn horizontally aligned (with theirlabels shown beside the nodes themselves). Subsequent levels of the run


q1q1

q1

q1

q2q2q2

q2 q2

q3

q3

q4

q4q4q4

q4

q4 q4q4q4

q4q4q4q4q4q4 q5q5 q5q5q5

q5q5q5q5q5q5q5q5q5

aaaaa bbb ccc dd

{a}

{a}

{a}{a}

{a} {b}{b}

{b} {b}

{b}{b}

{c}

{c}

{c}

{c}

{d}

{a,c}

{a,c}{a,c}{a,c}{a,c} {a,c}

{a,d}{a,d}

{a,d}{a,d}{a,d}

{a,d}{a,d}

{b,c}

{b,c}

{b,d}

{b,d}

{b,d}

{b,d}

{b,d}{b,d}

{b,d}

Fig. 2.3: First few levels of a run of the alternating automaton in Fig. 2.2 (a) formedby reading the input acabacababdcd

of the automaton are defined in a similar manner so that the labels of thesuccessors of each node always match the target states of some transitionthat starts from the state labeling the node itself and includes the next inputsymbol (shown at the top of the figure) in its guard.

The nodes in a level of the run represent the copies of the automatonwhich are “active” at the corresponding position of the input. As seen in thefigure, the number of active copies (of which several may be in the same stateof the automaton) can change while the automaton processes its input: theautomaton may spawn new copies of itself, some of the copies may “mergetogether”, or a copy of the automaton may “die” by taking a transition with anempty set of target states. Note that the structural properties of a run do notenforce the merging of copies; nor do they enforce any global finite upperbound on the number of copies of a particular subautomaton (or the totalnumber of active copies of the automaton) spawned at any position of theinput.

The arrows leaving each node constitute the unique (hyper)edge startingfrom the node. Formally, each of these edges is labeled with a transition ofthe automaton. We mark only the guards and the acceptance conditions ofthese transitions in the figure; the exact label of each edge in the run cannevertheless be determined uniquely from this information together with thelabels of the nodes. �

Infinite Branches and Their Properties

Let G = 〈V,E, L〉 be a run of an alternating automaton A = 〈Σ, Q,∆,qI ,F〉 on an infinite word w ∈ Σω. We call each maximal chain of edgesin G a branch of G; by the partitioning and backward causality, it is easy tosee that each branch of G begins with the unique edge 〈v0, V1〉 ∈ E. Inparticular, we denote the set of infinite branches in G by B(G) and define,for each infinite branch β = (ei)0≤i<ω ∈ B(G),

inf(β)def=

{f ∈ F ∀i ≥ 0 : ∃j ≥ i : L(ej) is an f -transition of A

}

and

fin(β)def=

{f ∈ F ∃i ≥ 0 : ∀j ≥ i : L(ej) is an f -transition of A

}.


The sets inf(β) and fin(β) are called the infinity set and the final set of β,respectively; inf(β) collects the acceptance conditions occurring in the labelof infinitely many edges in the branch β, and fin(β) is the maximal set ofconditions that are missing from the labels of only finitely many edges in thebranch. It is easy to see that if fin(β) 6= ∅, then inf(β) 6= ∅, and furthermore,if inf(β) 6= ∅, then, for all f ∈ inf(β), there exists an f -transition tf ∈ ∆such that L(ei) = tf holds for infinitely many i, because ∆ is finite.

Acceptance Modes and the Language of an Automaton

Let G = 〈V,E, L〉 be a run of an alternating automaton A = 〈Σ, Q,∆,qI ,F〉 on an infinite word w ∈ Σω, and let B(G) be the set of infinitebranches in G. A branch β ∈ B(G) is inf-accepting iff inf(β) = F and fin-accepting iff fin(β) = ∅. The run G is inf- (fin-)accepting iff every branchβ ∈ B(G) is inf- (fin-)accepting, respectively. (If all branches of G are finite,then B(G) = ∅, and thus G is trivially both inf- and fin-accepting.)

We say that A inf-accepts (fin-accepts) w ∈ Σω iff A has an inf-accepting(fin-accepting) run on w. We call the set of infinite words accepted by Ain a fixed acceptance mode the language of A and denote it by Linf(A)or Lfin(A), where the acceptance mode is given in the subscript. The au-tomaton A inf- or fin-recognizes a language L ⊆ Σω iff L = Linf(A) orL = Lfin(A), respectively. The automaton is inf- (fin-)empty iff it inf-(fin-)recognizes the empty language. We call two automata inf- (fin-)equiva-lent iff they inf- (fin-)recognize the same language.

Transition- vs. state-based acceptance. In the literature, acceptance is of-ten characterized by associating acceptance conditions with states instead ofthe transitions of an automaton and defining (for an infinite branch β ina run of the automaton) inf(β) (fin(β)) to be the union of the acceptanceconditions associated with those states in the automaton that occur as labelsof the source nodes of infinitely many (resp. all except for finitely many)edges in β. We shall refer to this form of acceptance as state-based (inf- orfin-)acceptance to distinguish it from the above notion of transition-based ac-ceptance. It is a well-known fact that state-based inf-acceptance can alwaysbe reduced to transition-based inf-acceptance without altering the state set ofthe automaton, but the converse reduction may necessitate duplicating somestates of the automaton to preserve its language; the results on nondetermin-istic automata (see, for example, [Perrin and Pin 2004]) generalize easily toalternating automata with multiple acceptance conditions.

Relation to generalized Büchi acceptance. Our notion of inf-acceptanceis equivalent to classic (generalized) Büchi acceptance commonly used inthe literature (see, for example, the survey article by Thomas [1990]). Asa matter of fact, fin-acceptance can be seen merely as a way to rephrasethe notion of inf-acceptance, because inf- and fin-acceptance can be eas-ily reduced to each other: an alternating automaton A = 〈Σ, Q,∆, qI ,F〉fin- (inf-)recognizes the language L ⊆ Σω iff the automaton obtained fromA by complementing the set of acceptance conditions of every transitionof A with respect to F inf- (fin-)recognizes the same language. (That is,Lfin(A) = Linf(A

′) holds for the automaton A′ = 〈Σ, Q,∆′, qI ,F〉 having


q4q4q4

q5q5q5

aa

{a,c}{a,c}

{a,d}{a,d}

q4q4q4

q5q5q5

a b

{b}

{a,c}

{a,d}

{b,d}

q4q4q4

q5q5q5

c d

{c}

{a,c}

{a,d}

{b,d}

(a) (b) (c)

Fig. 2.4: Possible extensions of the graph in Fig. 2.3 into a run of the alternatingautomaton shown in Fig. 2.2 (a). (a) Extension on the input aω ; (b) Extension onthe input (ab)ω; (c) Extension on the input (cd)ω

the transition relation ∆′ def=

{〈q,Γ,F \ F,Q′〉〈q,Γ, F,Q′〉 ∈ ∆

}; as a mat-

ter of fact, if |F| = 1 holds, then fin-acceptance coincides with a notion ofacceptance commonly known as co-Büchi acceptance.) Nevertheless, fin-acceptance provides a convenient way to identify a collection of transitionsthat an automaton is forbidden to take indefinitely in any infinite branch ofa fin-accepting run on an input w ∈ Σω belonging to the language of theautomaton. Obviously, this requirement resembles the characteristic proper-ties of models of strong temporal eventualities of LTL: recall that an infiniteword does not satisfy a strong temporal eventuality if some designated LTLproperty remains unsatisfied in all suffixes of the word. We shall make use ofthis connection between the semantics of LTL and fin-acceptance in Ch. 3.Additionally, with fin-acceptance one can freely add new acceptance condi-tions to an automaton without modifying its transition relation to preservethe language of the automaton.

Because the different acceptance modes are reducible to each other as de-scribed above, each theorem on alternating automata working in one accep-tance mode corresponds to a theorem on automata working in the oppositeacceptance mode. We shall prove most of our results for only one acceptancemode and shall not deal with the opposite mode explicitly.

Example 2.3.5 Consider again the initial fragment of a run of the automatonfrom Ex. 2.3.1 on the input acabacababdcd (Fig. 2.3). This run fragment endsin a level having two nodes labeled with the states q4 and q5, respectively. Weinvestigate inf- and fin-acceptance in several runs of the automaton obtainedvia simple infinite extensions of the input.

Concatenating the word aω to the input allows us to extend the graphin Fig. 2.3 into a run ending in, for example, an infinite number of identi-cal levels shown in Fig. 2.4 (a). It is easy to see that the run formed in thisway contains a finite number of infinite branches, and all of these branchesend in an infinite suffix of identically labeled edges (labeled either with thetransition

⟨q4, {a, d}, {•}, {q4}

⟩or the transition

⟨q5, {a, c}, {◦}, {q5}

⟩). Be-

cause neither of these transitions is both a •- and a ◦-transition, it follows thatthe conditions • and ◦ cannot both belong to the infinity set of any infinitebranch, and thus the run is not inf-accepting. On the other hand, the run isnot fin-accepting, either, because the final set of every infinite branch alwaysincludes one of the conditions • or ◦.


Figure 2.4 (b) shows another extension for the graph in Fig. 2.3 obtainedby concatenating the word (ab)ω with the original input. The run now con-tains infinitely many infinite branches: intuitively, after traversing a chainof edges that ends in an edge labeled with a self-loop starting from the stateq4, we always have the opportunity of extending this chain with an edge la-beled either with another self-loop starting from q4, or a self-loop that startsfrom q5. Nevertheless, it is easy to see that all infinite branches again end inan infinite suffix of edges labeled with self-loops starting from a fixed stateof the automaton. More precisely, the edge labels will eventually alternatebetween the transitions

⟨q4, {a, d}, {•}, {q4}

⟩and

⟨q4, {b}, {•}, {q4, q5}

⟩, or

the transitions⟨q5, {a, c}, {◦}, {q5}

⟩and

⟨q5, {b, d}, ∅, {q5}

⟩in every infinite

branch of the run. Similarly to the first case, no infinite branch has {•, ◦}as its infinity set, and the run is not inf-accepting. Although the final set ofall infinite branches ending in a suffix labeled with self-loops starting fromq5 is empty, the run is nevertheless not fin-accepting, either, because the ac-ceptance condition • will eventually repeat indefinitely in the edge labels ofevery infinite branch that ends in an infinite suffix of edges corresponding toself-loops starting from the state q4.

Finally, extending the graph in Fig. 2.3 into a run by reading the in-put (cd)ω can be done as shown in Fig. 2.4 (c). As above, the run is notinf-accepting; however, in this case all infinite branches of the run containinfinitely many edges labeled with transitions having no acceptance condi-tions as seen in the figure. Therefore the automaton fin-accepts the wordacabacababdcd(cd)ω. �

2.3.2 Properties of Runs of Alternating Automata

In this section we list several basic facts about runs of alternating automata.These facts will be used mainly as tools in the proofs of subsequent results.We begin by establishing an obvious correspondence between reachability ina run of an alternating automaton and reachability in the automaton itself;compare this result with Fig. 2.2 (a) and Fig. 2.3.

Proposition 2.3.6 Let G = 〈V,E, L〉 be a run of an alternating automatonA = 〈Σ, Q,∆, qI ,F〉 on an infinite word w ∈ Σω. Let v ∈ Vi be a node inG at some level 0 ≤ i < ω. If v′ ∈ V is a descendant of v in G, then L(v′) isa descendant of L(v) in A.

Proof: Because of the partitioning of V , each descendant of v in G is anelement of Vi+j for some 1 ≤ j < ω. If v′ ∈ Vi+1 is a successor of v, then vis the source state of an edge that includes v′ in its target nodes, and becauseG is a run, the consistency of the labeling implies that L(v′) is a successor(hence, a descendant) of L(v) in A.

Assume that the result holds for all descendants v′ ∈ Vi+j of v for some1 ≤ j < ω, and let v′′ ∈ Vi+j+1 be a descendant of v. Thus G containsa finite nontrivial path from v to v′′, and, because E contains edges onlybetween consecutive levels of G, there exists a descendant v′ ∈ Vi+j of v andan edge e = 〈v′, V ′〉 ∈ E such that v′′ ∈ V ′ holds. Because the labeling L isconsistent, L(v′′) is a successor of L(v′) in A, and thus L(v′′) is a descendantof L(v) by the induction hypothesis. �


qIqIqIqIqIqIqI qI

qI

qIqI

qIqI

qI

q1

q2

q3

self -loop

self -loop

self -loop

non

-self -loop

self

-loop

self

-loop

self

-loop

self

-loop

self

-loop

self

-loop

self

-loop

self

-loop

self

-loop

Fig. 2.5: Every run of an alternating automaton contains a chain of edges labeledwith initial self-loops of the automaton such that the sequence is either infinite, or itcan be extended with an edge labeled with an initial transition that is not a self-loop

Consider the construction of a run for an alternating automaton A.Clearly, the only way to extend a finite (possibly empty) chain of edges la-beled with initial self-loops of the automaton with a new edge starting froma node labeled with the initial state of the automaton in a consistent wayis to label the new edge with another initial transition of the automaton.Therefore, every run of the automaton contains either a finite chain of edgeslabeled with initial transitions of the automaton such that all edges exceptthe last one correspond to self-loops of the automaton, or an infinite chain ofedges, all edges of which are labeled with initial self-loops of the automaton(see Fig. 2.5). Because we shall often rely on the existence of such a chain ofedges in a run of an alternating automaton, we state this simple fact formallyhere for further reference.

Proposition 2.3.7 Let G = 〈V,E, L〉 be a run of an alternating automatonA = 〈Σ, Q,∆, qI ,F〉. There exists an index 0 ≤ i ≤ ω and a chain of edges(ej)0≤j<i+1, ej ∈ E ∩ (Vj × 2Vj+1), such that L(ej) is an initial self-loop of Afor all 0 ≤ j < i, and either i = ω, or L(ei) is an initial transition of A that isnot a self-loop.

Proof: Because G is a run, L(v0) = qI , and v0 has the unique outgoing edgee = 〈v0, V1〉 ∈ E ∩ (V0 × 2V1) such that L(e) is an initial transition of A. IfqI /∈ L(V1), then L(e) is not a self-loop, and thus i = 0 can be chosen as theindex referred to in the proposition.

Assume that G contains a chain of edges (ej)0≤j≤k, ej ∈ E ∩ (Vj ×2Vj+1),for some 0 ≤ k < ω such that L(ej) is an initial self-loop of A for all 0 ≤j ≤ k. Let ek = 〈v, V ′〉 for some v ∈ Vk and V ′ ⊆ Vk+1. Because L(ek)is an initial self-loop of A, there exists a node v′ ∈ V ′ such that L(v′) = qI .Due to forward causality, v′ has the unique outgoing edge ek+1 = 〈v′, V ′′〉 ∈E ∩ (Vk+1 × 2Vk+2) for some V ′′ ⊆ Vk+2, and because L is consistent, ek+1 islabeled with an initial transition of A. Clearly, ek and ek+1 are consecutive.As above, if qI /∈ L(V ′′), then L(ek+1) is not a self-loop, and (ej)0≤j≤k+1 is achain of edges that satisfies the criteria given in the proposition. Otherwise(ej)0≤j≤k+1 is another chain of edges labeled with initial self-loops of A. Byinduction, it follows that G contains a chain of edges satisfying the requiredcriteria. �

The following proposition proves the fact that each run of an alternatingautomaton A on an infinite word w ∈ Σω is built from the runs of its subau-


tomata on suffixes of w; compare this result again with Fig. 2.3.

Proposition 2.3.8 Let G = 〈V,E, L〉 be a run of an alternating automatonA = 〈Σ, Q,∆, qI ,F〉 on an infinite word w ∈ Σω. Let v ∈ Vi be a nodein G at some level 0 ≤ i < ω with L(v) = q ∈ Q. Define the graphGv = 〈V v, Ev, Lv〉, where

• V v def= {v} ∪ {v′ ∈ V | v′ is a descendant of v in G},

• Ev def=

{〈v′, V ′〉 ∈ E {v′} ∪ V ′ ⊆ V v

}, and

• Lv : (V v ∪Ev) → (Q∪∆) is defined by the rule Lv(x)def= L(x) for all

x ∈ V v ∪Ev.

The graph Gv is a run of the subautomaton Aq = 〈Σ, Qq,∆q, q,F q〉 on thesuffix wi of w.

Proof: We check that Gv satisfies the properties required of a run of the sub-automaton Aq on wi.

(Partitioning) V v can be partitioned into finite disjoint levels V vj

def= V v ∩

Vi+j (0 ≤ j < ω). Clearly, V v0 = {v}, and Ev ⊆

⋃0≤j<ω(V

vj × 2V

vj+1).

(Causality) If v′ ∈ V v, then v′ = v or v′ is a descendant of v in G, andbecause G is a run, there exists a unique edge e = 〈v′, V ′〉 ∈ E. Clearly,every node in V ′ is a descendant of v. Therefore, {v′} ∪ V ′ ⊆ V v, ande ∈ Ev is the unique edge starting from v′ also in Ev.

If v′ ∈ V v \ {v}, then v′ is either a successor of v, or a successor of a nodethat is itself a descendant of v inG. In either case, there exists a node v′′ ∈ V v

and an edge e = 〈v′′, V ′′〉 ∈ E such that v′ ∈ V ′′ holds. Obviously, all nodesin V ′′ are descendants of v. Thus {v′′} ∪ V ′′ ⊆ V v holds, and e ∈ Ev.

(Consistency of Lv) By the definitions of Gv and Aq, Lv(v) = L(v) = q isthe initial state of Aq. Let v′ ∈ V v

j ⊆ Vi+j for some 0 ≤ j < ω. By causality,there exists a unique edge e = 〈v′, V ′〉 ∈ Ev ⊆ E (with V ′ ⊆ Vi+j+1), andby consistency of L, L(e) =

⟨L(v′),Γ, F, L(V ′)

⟩∈ ∆ holds for some Γ ⊆ Σ

and F ⊆ F such that w(i+ j) ∈ Γ. Because Lv(x) = L(x) holds for all x ∈V v ∪ Ev, then obviously

⟨L(v′),Γ, F, L(V ′)

⟩=

⟨Lv(v′),Γ, F, Lv(V ′)

⟩=

Lv(e) holds. It remains to check that⟨L(v′),Γ, F, L(V ′)

⟩∈ ∆q . Clearly, if

v′ = v, then L(v′) = L(v) = q ∈ Qq. Otherwise v′ is a descendant of v inG, and thus L(v′) is a descendant of L(v) = q in A by Proposition 2.3.6. Ineither case, all states in L(V ′) are descendants of L(v), and thus L

({v′} ∪

V ′)⊆ Qq. Because F ⊆ F = F q holds by the definition of Aq, it follows

that⟨L(v′),Γ, F, L(V ′)

⟩∈ ∆q holds.

We conclude that Gv is a run of Aq on(w(i+ j)

)0≤j<ω

= w[i,ω) = wi. �

By focusing only on inf- or fin-accepting runs of alternating automata,Proposition 2.3.8 leads to the result that any inf- or fin-accepting run of an al-ternating automaton consists of inf- or fin-accepting runs of its subautomata,respectively.


Proposition 2.3.9 Let A = 〈Σ, Q,∆, qI ,F〉 be an alternating automatonworking in acceptance mode µ ∈ {inf, fin}, and let G = 〈V,E, L〉 be a µ-accepting run of A on w ∈ Σω. For all 0 ≤ i < ω and v ∈ Vi, the run Gv

obtained from G using the construction in Proposition 2.3.8 is a µ-acceptingrun of AL(v) on wi. More generally, if G = 〈V,E, L〉 is a µ-accepting run ofA on w, then AL(v) µ-accepts wi for all 0 ≤ i < ω and v ∈ Vi.

Proof: By Proposition 2.3.8, Gv is a run of the subautomaton AL(v) on wi. Ifthere exists an infinite path through Gv starting from the node v, then thispath is a suffix of some infinite path through G that begins from the nodev0 ∈ V0 and visits the node v. (This follows directly from backward causalityand the fact that V v ⊆ V and Ev ⊆ E hold.) It follows that also each infinitebranch βv = (evj )0≤j<ω ∈ B(Gv) in Gv is a suffix of an infinite branchβ = (ej)0≤j<ω ∈ B(G) in G (where evj = ei+j for all 0 ≤ j < ω). BecauseG is a µ-accepting run of A, β is µ-accepting. Thus, either inf(β) = F(µ = inf), or fin(β) = ∅ (µ = fin). Since βv is an infinite suffix of β,β contains only finitely many edges not contained in βv, and thus eitherinf(βv) = inf(β) = F = FL(v), or fin(βv) = fin(β) = ∅ holds. It followsthat Gv is a µ-accepting run of AL(v) on wi. �

Proposition 2.3.9 has the following immediate consequence on the non-occurrence of nodes and edges labeled with certain states or transitions of analternating automaton in an inf- or fin-accepting run of the automaton.

Proposition 2.3.10 Let A = 〈Σ, Q,∆, qI ,F〉 be an alternating automatonworking in acceptance mode µ ∈ {inf, fin}. Let q∅ ∈ Q be a state of theautomaton such that Lµ(Aq∅) = ∅ holds, or let t∅ = 〈q,Γ, F,Q′〉 ∈ ∆(q ∈ Q, Γ ⊆ Σ, F ⊆ F and Q′ ⊆ Q) be a transition such that Γ = ∅,or

⋂q′∈Q′Lµ(A

q′) = ∅ holds. For all w ∈ Lµ(A), no µ-accepting run ofA on w contains a node (edge) labeled with the state q∅ (the transition t∅,respectively).

Proof: Let G = 〈V,E, L〉 be a µ-accepting run of A on some w ∈ Σω. Ifthere exists a node v ∈ Vi (0 ≤ i < ω) such that L(v) = q∅ holds, thenwi ∈ Lµ(A

q∅) holds by Proposition 2.3.9. But then Lµ(Aq∅) is not empty. It

follows that G has no nodes labeled with the state q∅.Let e = 〈v, V ′〉 ∈ E ∩ (Vi × 2Vi+1) (0 ≤ i < ω) be an edge in G.

Because the labeling L is consistent, the guard of the transition L(e) ∈ ∆cannot be nonempty (it contains the symbol w(i)), and the target nodes V ′

of e are labeled with the target states of L(e). Because V ′ ⊆ V holds, itfollows by Proposition 2.3.9 that Aq′ µ-recognizes wi+1 for all q′ ∈ L(V ′),i.e., wi+1 ∈

⋂q′∈L(V ′) Lµ(A

q′) holds. But then⋂q′∈L(V ′) Lµ(A

q′) 6= ∅. It iseasy to see that t∅ cannot be the label of e. �

Consequently, it is safe to remove a state (transition) from an alternatingautomaton if the subautomaton rooted at the state inf- or fin-recognizes theempty language (respectively, if the intersection of the languages recognizedby the subautomata rooted at the transition’s target states is empty).

Corollary 2.3.11 Let A = 〈Σ, Q,∆, qI ,F〉 be an alternating automatonworking in acceptance mode µ ∈ {inf, fin}, let Q∅ ⊆ Q be a set of states


such that Lµ(Aq) = ∅ holds for all q ∈ Q, and let ∆∅ ⊆ ∆ be a set of transi-tions such that Γ = ∅ or

⋂q′∈Q′Lµ(A

q′) = ∅ holds for all 〈q,Γ, F,Q′〉 ∈ ∆∅

(q ∈ Q, Γ ⊆ Σ, F ⊆ F and Q′ ⊆ Q). Let A′ = 〈Σ, Q′,∆′, qI ,F〉 be the

alternating automaton obtained from A by defining Q′ def= Q \

(Q∅ \ {qI}

)

and ∆′ def=

{〈q,Γ, F,Q′′〉 ∈ ∆ \ ∆∅ {q} ∪ Q′′ ⊆ Q′

}. The automata A and

A′ are µ-equivalent.

Proof: Clearly, Q′ ⊆ Q and ∆′ ⊆ ∆ holds. Because A and A′ share theirinitial state and their acceptance conditions, it is easy to see that every µ-accepting run of A′ on some w ∈ Σω is also a µ-accepting run of A on w.The converse result follows because no µ-accepting run of A on any w ∈Σω contains nodes or edges labeled with states from Q∅ or ∆∅, respectively(Proposition 2.3.10). We conclude that A and A′ are µ-equivalent. �

Proposition 2.3.9 implies also that the language inf- or fin-recognized byan alternating automaton depends only on the structure of the subautomatonrooted at the initial state of the automaton. Consequently, given an alternat-ing automaton, we can always remove all its non-initial states that are notreachable from its initial state (and the transitions having such states as theirsource state or in their target states) without changing the language of theautomaton.

Proposition 2.3.12 Let A = 〈Σ, Q,∆, qI ,F〉 be an alternating automatonworking in acceptance mode µ ∈ {inf, fin}. For all w ∈ Σω, A µ-accepts wiff AqI µ-accepts w.

Proof: By the definition of AqI , the set of states (transitions) of AqI formsa subset of the states (transitions) of A, and because A and AqI share theirinitial state and the set of acceptance conditions, every µ-accepting run ofAqI on some w ∈ Σω is also a µ-accepting run of A on w.

Conversely, if G = 〈V,E, L〉 (with V0 = {v0}) is a µ-accepting run of Aon w ∈ Σω, then it follows immediately by Proposition 2.3.9 that Gv0 = G isa µ-accepting run of AL(v0) = AqI on w0 = w. �

Example 2.3.13 Consider again the alternating automaton depicted inFig. 2.2 (a) (p. 21). If we choose q4 instead of q1 as the initial state of thisautomaton, then, by Proposition 2.3.12, we know that the language of theautomaton is completely determined by the subautomaton Aq4 shown inFig. 2.2 (b), and thus the modified automaton and Aq4 (obtained from itby removing the states q1, q2 and q3) recognize the same language. �

2.3.3 Semi-Runs

In this section we define a class of graph structures which will be convenientfor proving many results on alternating automata via transformation of runsof the automata. Let A = 〈Σ, Q,∆, qI ,F〉 be an alternating automaton,and let w ∈ Σω. We call a directed labeled acyclic graph G = 〈V,E, L〉 asemi-run of A on w iff V , E and L satisfy the partitioning, backward causalityand the consistency properties defined for runs of A (p. 23) together with arelaxed forward causality condition defined as


w(0) w(1) w(2) w(3) w(4) w(5)

q1

q1

q2

q2

q3

q3

w(0) w(1) w(2) w(3) w(4) w(5)

q1

q1

q2

q3

q2

q3

(a) (b)

Fig. 2.6: Extending a semi-run of an automaton on an input w into a run of theautomaton using runs of the automaton’s subautomata. (a) A semi-run of an au-tomaton on w together with runs of its subautomata on suffixes of w; (b) The run(black nodes and edges) obtained by joining the runs of the subautomata with thesemi-run of the automaton)

For all v ∈ V , there exists at most one edge 〈v, V ′〉 ∈ E.[Forward semi-causality]

Thus, all nodes of a semi-run do not need to have any outgoing edges (buteach edge starting from a node is still unique). The concepts of an infinitebranch and acceptance extend to semi-runs in an obvious way: a semi-run Gis called an inf- or fin-accepting semi-run iff each infinite branch through Gis inf- or fin-accepting, respectively.

An inf- (fin-)accepting semi-run of A on w can be extended into an inf-(fin-)accepting run of A on w provided that it is possible to “attach” an inf-(fin-)accepting run of a subautomaton of A on a suffix of w to each node ofthe semi-run with no outgoing edges. This fact is formalized in the followingproposition; see also Fig. 2.6.

Proposition 2.3.14 Let A = 〈Σ, Q,∆, qI ,F〉 be an alternating automatonworking in acceptance mode µ ∈ {inf, fin}, and let G = 〈V,E, L〉 be a µ-

accepting semi-run of A on w ∈ Σω. Let Videf=

{v ∈ Vi E ∩ ({v}× 2Vi+1) =

∅}

denote the set of nodes at level 0 ≤ i < ω of G with no outgoing edges,and assume that AL(v) has a µ-accepting run on wi for all 0 ≤ i < ω andv ∈ Vi. The automaton A µ-accepts w.

Proof: For all 0 ≤ i < ω and all v ∈ Vi, let Gv = 〈V v, E v, Lv〉 (with V v0 =

{vv0}) be a µ-accepting run of AL(v) on wi. Without loss of generality, we

may assume that V v ∩ V v′ = ∅ holds for all pairs of nodes v, v′ ∈⋃

0≤i<ω Vi

(v 6= v′) and V v ∩ V = ∅ holds for all v ∈⋃

0≤i<ω Vi. Define the graphG′ = 〈V ′, E ′, L′〉, where

• V ′ def= V ∪

⋃0≤i<ω

⋃v∈bVi

(V v \ {vv0}),

• E ′ def= E ∪

⋃0≤i<ω

⋃v∈bVi

((E v \ {〈vv0 , V

v1 〉}) ∪ {〈v, V v

1 〉}), and


• the labeling function L′ is given by

L′(v)def=

{L(v) if v ∈ V

Lv(v) if v ∈ V v \ {vv0} for some v ∈⋃

0≤i<ω Vi

L′(e)def=

L(e) if e ∈ E

Lv(e) if e ∈ E v \{〈vv0 , V

v1 〉

}, v ∈

⋃0≤i<ω Vi

Lv(〈vv0 , V

v1 〉

)if e = 〈v, V v

1 〉 for some v ∈⋃

0≤i<ω Vi

We show that G′ is a µ-accepting run of A on w by checking that G′

satisfies all properties required of an accepting run.

(Partitioning) V ′ can be partitioned into finite disjoint levels by defining

V ′i

def= Vi ∪

⋃0≤j<i

⋃v∈bVj

V vi−j; then also E ′ ⊆

⋃ωi=0(V

′i × 2V

′i+1) holds. In

addition, because G is a semi-run of A, V ′0 = V0 is a singleton.

(Forward causality) Let v ∈ V ′. If v ∈ V , and v has an outgoing edge inG, then forward causality follows because E ⊆ E ′ holds. Otherwise, if v ∈ V

has no outgoing edges in G, then v ∈ Vi for some 0 ≤ i < ω, and by thedefinition ofG′, 〈v, V v

1 〉 is the unique edge starting from v in this case. In the

remaining case, v ∈ V v\{vv0} holds for some 0 ≤ i < ω and v ∈ Vi. BecauseGv is a run of AL(v) on wi, there exists a unique edge e = 〈v, V ′〉 ∈ E v, andbecause v 6= vv0 , e ∈ E ′ holds by the definition of G′.

(Backward causality) Let v′ ∈ V ′ \ V ′0 . If v′ ∈ V , then, because G is a

semi-run, there exists (in G) a node v ∈ V and an edge e ∈ E that starts fromv and includes v′ in its target nodes. Because V ⊆ V ′ and E ⊆ E ′, the samestill holds in G′. If v′ ∈ V v \ {vv0} for some v ∈

⋃0≤i<ω Vi, then v′ ∈ V v

j forsome 1 ≤ j < ω. Because Gv is a run, there exists (in Gv) a node v ∈ V v

j−1

and an edge e ∈ E v that starts from v and includes v′ in its target nodes. Ifj > 1, then v ∈ V v\{vv0} ⊆ V ′ and e ∈ E v\

{〈vv0 , V

v1 〉

}⊆ E ′, and backward

causality follows. If j = 1, then v′ is a successor of a node v ∈⋃

0≤i<ω Vi bythe definition of G′, and G′ has the backward causality property also in thiscase.

(Consistency of L′) Because V ′0 = V0 = {v0} and L is consistent, L′(v0) =

L(v0) = qI .Let e ∈ E ′. Clearly, e ∈ V ′

i × 2V′i+1 for some 0 ≤ i < ω. If e ∈ E

holds, then e = 〈v, V ′〉 ∈ Vi × 2Vi+1 holds by the definition of G′. BecauseL is consistent, it follows from the definition of G′ that L′(e) = L(e) =⟨L(v),Γ, F, L(V ′)

⟩∈ ∆ holds in G for some Γ ⊆ Σ and F ⊆ F such that

w(i) ∈ Γ. The labeling L′ is now consistent because⟨L(v),Γ, F, L(V ′)

⟩=⟨

L′(v),Γ, F, L′(V ′)⟩.

If e = 〈v, V v1 〉 holds for some v ∈ Vi, then, by the definition of G′ and

the consistency of Lv, L′(e) = Lv(〈vv0 , V

v1 〉

)=

⟨Lv(vv0),Γ, F, L

v(V v1 )

⟩∈

∆ holds for some Γ ⊆ Σ and F ⊆ F such that wi(0) = w(i) ∈ Γ.Then also the labeling L′ is consistent, because

⟨Lv(vv0),Γ, F, L

v(V v1 )

⟩=⟨

L(v),Γ, F, Lv(V v1 )

⟩=

⟨L′(v),Γ, F, L′(V v

1 )⟩.

Finally, if e = 〈v, V ′〉 ∈ E v \{〈vv0 , V

v1 〉

}holds for some v ∈ Vi (0 ≤ i <

ω), then e ∈ V vj × 2V

vj+1 ⊆ V ′

i+j × 2V′i+j+1 holds for some 1 ≤ j < ω (and

{v} ∪ V ′ ⊆ V v \ {vv0}). Because Gv is a run of AL(v) on wi, the labelingLv is consistent, and thus L′(e) = Lv(e) =

⟨Lv(v),Γ, F, Lv(V ′)

⟩∈ ∆ holds


for some Γ ⊆ Σ and F ⊆ F such that wi(j) = w(i + j) ∈ Γ. Because⟨Lv(v),Γ, F, Lv(V ′)

⟩=

⟨L′(v),Γ, F, L′(V ′)

⟩, L′ is consistent also in this

case.

(Acceptance) Clearly, G′ is µ-accepting if all branches of G′ are finite.Otherwise let β ∈ B(G′) be an infinite branch in G′. If β is contained inG, then β is µ-accepting by assumption. Otherwise the branch consists of afinite (possibly empty) chain of edges in G followed by an edge of the forme = 〈v, V v

1 〉 for some v ∈⋃

0≤i<ω Vi and V v1 ⊆ V v, which is then followed

by an infinite chain of edges through Gv. Clearly, this chain is a suffix ofan infinite branch β v in Gv. Since the number of edges in β precedingthis suffix is finite, it follows that inf(β) = inf(β v) and fin(β) = fin(β v), andsince either inf(β v) = F or fin(β v) = ∅ (depending on the acceptance modeµ), it follows that also inf(β) = F or fin(β) = ∅ holds. We conclude that G′

is a µ-accepting run of A on w. �

Proposition 2.3.14 provides a simple method for constructing acceptingruns for alternating automata by first finding an accepting semi-run for theautomaton, and then extending it with accepting runs for the automaton’ssubautomata. We shall make extensive use of this result in later chapters.As a first example of an application of the result, we establish a simple cor-respondence between a single step of operation of an alternating automa-ton and inf- (fin-)acceptance. More precisely, an alternating automaton inf-(fin-)accepts its input only if all copies of the automaton spawned by the firsttransition taken by the automaton inf- (fin-)accept the input that remains af-ter the first input symbol; conversely, the automaton can always be made toaccept its input if it has such an initial transition whose guard contains thefirst symbol of the input.

Proposition 2.3.15 Let A = 〈Σ, Q,∆, qI ,F〉 be an alternating automatonworking in acceptance mode µ ∈ {inf, fin}, and let w ∈ Σω. The automatonA µ-accepts w iff there exists a transition 〈qI ,Γ, F,Q

′〉 ∈ ∆ for some Γ ⊆ Σ,F ⊆ F and Q′ ⊆ Q such that w(0) ∈ Γ holds, and for all q ∈ Q′, thesubautomaton Aq µ-accepts w1.

Proof: (Only if) Assume that A µ-accepts w. Then A has a µ-accepting

run G = 〈V,E, L〉 on w, and G contains a state v0 ∈ V0 labeled with theinitial state of A and an edge e = 〈v0, V1〉 ∈ E labeled with a transitiont = 〈qI ,Γ, F,Q

′〉 ∈ ∆ for some Γ ⊆ Σ and F ⊆ F such that w(0) ∈ Γ andQ′ = L(V1) hold. By Proposition 2.3.8, we can extract from G a run of thesubautomaton Aq on w1 for all q ∈ Q′, and because G is µ-accepting, eachof these runs is µ-accepting by Proposition 2.3.9.

(If) Assume that there exists a transition t = 〈qI ,Γ, F,Q′〉 ∈ ∆ for some

Γ ⊆ Σ, F ⊆ F and Q′ = {q1, . . . , qn} ⊆ Q (0 ≤ n < ω) such thatw(0) ∈ Γ holds, and the subautomaton Aqi has a µ-accepting run on w1 forall 1 ≤ i ≤ n. Define the graph G = 〈V,E, L〉, where

• Vdef= {vI , v1, . . . , vn}, where vI 6= vi for all 1 ≤ i ≤ n, and vi 6= vj for

all 1 ≤ i, j ≤ n, i 6= j,


• Edef=

{〈vI , {v1, . . . , vn}〉

}, and

• L(vI)def= qI , L(vi)

def= qi for 1 ≤ i ≤ n, and L

(〈vI , {v1, . . . , vn}〉

)def= t.

It is easy to see from the definitions that G is a semi-run of A on w: obvi-ously, V is partitioned into finite disjoint levels V0 = {vI}, V1 = {v1, . . . , vn},Vi = ∅ for all 2 ≤ i < ω (and E ⊆ V0 × 2V1), the edge starting from vI isunique (and it is the only edge in E), each node v ∈ V \ {vI} is a successorof vI , and the labeling L is consistent. Since G has no infinite branches, G istrivially µ-accepting. Because L(v) ∈ {q1, . . . , qn} holds for all nodes v ∈ Vwith no outgoing edges (i.e., for all v ∈ V1) and Aqi has a µ-accepting run onw1 for all 1 ≤ i ≤ n by the assumption, we can apply Proposition 2.3.14 toextend the semi-run G into a µ-accepting run of A on w. �

2.3.4 Self-loop Alternating Automata

In this work we concentrate on a restricted class of alternating automataknown to be closely related to linear time temporal logic in that every lan-guage definable as the set of models of an LTL formula is also a language rec-ognizable by an alternating automaton in this subclass and vice versa [Rohde1997; Löding and Thomas 2000]. Since automata in general possess intu-itively appealing “operational” characteristics, translating linear time tempo-ral logic into finite automata provides a first step towards effective procedures,for example, for checking the satisfiability of LTL formulas. By concentratingon a subclass of automata that is equally expressive to LTL, the characteristicproperties of these automata allow making the procedures simpler and moreefficient. Because our basic definitions of automata and acceptance gener-alize traditional definitions by allowing alternating automata to have multi-ple acceptance conditions associated with their transitions, we shall rephraseseveral basic results on this subclass of alternating automata in this and thefollowing chapter using the generalized definitions to provide explicit detailsof various automata constructions. These details are needed, for example, fortransforming the formal constructions into an actual implementation.

Definition and Relation to Weak Alternating Automata

Formally, we call an alternating automaton A = 〈Σ, Q,∆, qI ,F〉 a self-loopalternating automaton iff all its simple cycles (i.e., cycles that do not visit anystate except their first state twice) are self-loops.

Self-loop alternating automata share their structural properties with a sub-class of alternating automata referred to as the class of very weak [Isli 1994,1996; Rohde 1997; Gastin and Oddoux 2001], linear [Löding and Thomas2000], linear weak [Merz and Sezgin 2003; Hammer et al. 2005] or one-weak [Ben-David et al. 2005] alternating automata in the literature. Theusual terminology stems from the identification of the subclass with a specialcase of the more general weak alternating automata introduced by Mulleret al. [1986, 1992]; however, we prefer the above direct definition to separatethe intuitive structural characterization of the automata in the subclass fromany particular (usually state-based) notion of acceptance that is implied bythe standard definition of weakness.


Weak alternating automata [Muller et al. 1986, 1992] have their state setspartitioned into subsets arranged into a partially ordered hierarchy in whichno state in any subset of the hierarchy has a successor that belongs to a set thatis strictly higher in the hierarchy. In very weak automata, each of these sub-sets consists of a single state of the automaton. The connection between thisstructural property of very weak alternating automata and self-loop automatais given in the following proposition.

Proposition 2.3.16 An alternating automaton A = 〈Σ, Q,∆, qI ,F〉 is a self-loop alternating automaton iff there exists a mapping ρ : Q → N such thatfor all transitions 〈q,Γ, F,Q′〉 ∈ ∆ (q ∈ Q, Γ ⊆ Σ, F ⊆ F and Q′ ⊆ Q),ρ(q′) < ρ(q) holds for all q′ ∈ Q′ \ {q}.

Proof: (Only if) Assume that all simple cycles in the automaton A are self-

loops. Let Q0 ⊆ Q denote the set of states such that for all q ∈ Q0, q eitherhas no successors, or the only successor of q is q itself. We claim that for allq ∈ Q, either q ∈ Q0 holds, or q has a descendant q′ ∈ Q0. If this werenot the case, there would exist a state q ∈ Q \ Q0 with no descendants inQ0. Therefore, the automaton would contain an infinite path (qi)0≤i<ω withq0 = q and qi 6= qi+1 for all 0 ≤ i < ω. Since Q is finite, there wouldnow exist two indices 0 ≤ n < m < ω such that qn+1 6= qn and qm = qnhold. However, the automaton would then contain a simple cycle (from qnto itself) that is not a self-loop, contrary to the assumption.

The above result shows that the mapping ρ : Q→ N,

ρ(q)def= max

{|x| x is a simple path from q to a state q′ ∈ Q0

}

is well-defined on Q.To show that this function satisfies the criterion given in the proposition,

suppose that A contains a state q ∈ Q and a transition 〈q,Γ, F,Q′〉 ∈ ∆ forsome Γ ⊆ Σ, F ⊆ F and Q′ ⊆ Q such that ρ(q′) ≥ ρ(q) holds for someq′ ∈ Q′ \ {q}. Then there exists a simple path of length ρ(q′) from q′ to astate q′′ ∈ Q0 in the automaton. However, because q′ 6= q is a successor of q,there exists (due to the fact that all simple cycles of A are self-loops) a simplepath of length ρ(q′) + 1 from q to q′′. But then ρ(q) cannot be the maximallength of a simple path from q to a state in Q0. Thus, ρ(q′) < ρ(q) holds.

(If) Assume that there exists a mapping ρ : Q → N satisfying the given

criterion. Let x = (qi)0≤i≤n (1 ≤ n < ω) be a simple cycle in A. Supposethat the cycle is not a self-loop, i.e., n > 1 holds. Since qi+1 is a successorof qi for all 0 ≤ i < n and all states {q0, . . . , qn−1} are distinct (and qn−1 6=qn = q0), it follows that

ρ(q0) > ρ(q1) > · · · > ρ(qn−1) > ρ(qn) = ρ(q0),

which is clearly a contradiction. Therefore n = 1, and x is a self-loop. Itfollows that A is a self-loop alternating automaton. �

Example 2.3.17 Figure 2.7 depicts a self-loop alternating automaton work-ing over the alphabet {a, b, c}. The function ρ (defined in the proof ofProposition 2.3.16) divides the state set of the automaton into four partitions


q1

q2 q3 q4

q5 q6

q7 q8 ρ = 1

ρ = 2

ρ = 3

ρ = 4

{a}

{a}

{a}

{a}

{a}

{a}

{b}

{b}

{b}

{b}{b}

{c}

{c}

{c}

{a, c} {b, c}

{b, c}

{a, b, c}

Fig. 2.7: A self-loop alternating automaton

as shown in the figure. The structure defined by the states and transitions of aself-loop alternating automaton can be considered to have been built from adirected acyclic graph by adding to it edges including their own source statein their target states. �

Convergence of Infinite Run BranchesBecause every loop of a self-loop alternating automaton visits a single state,the labels of the source states of the edges in an infinite branch of a run ofthe automaton will eventually converge to a fixed state of the automaton.In this case we simply say that the branch converges to a fixed state of theautomaton.

Proposition 2.3.18 Let G = 〈V,E, L〉 be a run of a self-loop alternatingautomaton A = 〈Σ, Q,∆, qI ,F〉. For each infinite branch (ei)0≤i<ω =(〈vi, V

′i 〉

)0≤i<ω

∈ B(G), there exists an index 0 ≤ j < ω and a state q ∈ Q

such that for all j ≤ k < ω, L(vk) = q holds, and L(ek) is a self-loop transi-tion of A with source state q.

Proof: Let ρ : Q → N be a mapping satisfying the condition given inProposition 2.3.16. By the definition of a run, L(ei) is a transition of Ahaving source state L(vi) and including L(vi+1) in its target states for alli. It follows that

(ρ(L(vi)

))0≤i<ω

is a nonincreasing infinite sequence of

nonnegative integers, and thus there exists an index 0 ≤ j < ω such thatρ(L(vk)

)= ρ

(L(vj)

)holds for all j ≤ k < ω. But then also L(vk) = L(vj)

holds for all j ≤ k < ω, since L(vi+1) is a successor of L(vi) in A for all0 ≤ i < ω, and ρ(q′) is strictly less than ρ

(L(vj)

)for all successors q′ of

L(vj) other than L(vj) itself. Thus we may choose q = L(vj), and becauseL(vk+1) = q is included in L(ek)’s target states for all j ≤ k < ω, it followsthat L(ek) is a self-loop of A with source state q for all j ≤ k < ω. �

A state q ∈ Q of a self-loop alternating automaton A = 〈Σ, Q,∆, qI ,F〉working in fin-acceptance mode is a transient state iff all self-loops from thisstate to itself share a common acceptance condition, formally, if there existsan acceptance condition f ∈ F such that f ∈ F holds for all 〈q,Γ, F,Q′〉 ∈∆ with q ∈ Q′. (This holds trivially if there are no self-loops starting from thestate.)


It is easy to show that every infinite branch of a fin-accepting run of aself-loop alternating automaton will converge to a nontransient state of theautomaton.

Corollary 2.3.19 Let A = 〈Σ, Q,∆, qI ,F〉 be a self-loop alternating au-tomaton, and let G = 〈V,E, L〉 be a run of A on w ∈ Σω. If G is a fin-accepting run of A, then each infinite branch of G converges to a nontran-sient state of A.

Proof: Let β = (ei)0≤i<ω =(〈vi, V

′i 〉

)0≤i<ω

∈ B(G) be an infinite branch in

G. By Proposition 2.3.18, there exists a state q ∈ Q and an index 0 ≤ j < ωsuch that for all j ≤ k < ω, L(vk) = q, and L(ek) is a self-loop of Awith source state q. Because G is fin-accepting, fin(β) = ∅, and thus, forall f ∈ F and j ≤ k < ω, there exists a k ≤ k′ < ω such that the self-loop L(ek′) ∈ ∆ is not an f -transition of A. Because the same holds forall acceptance conditions in F , it follows that q is a nontransient state of A.

�

Another corollary of Proposition 2.3.18 is that no acceptance conditionassociated with a non-self-loop transition of a self-loop alternating automatonaffects the language recognized by the automaton. Thus, we can always re-move all acceptance conditions from the transitions of the automaton whichare not self-loops.

Corollary 2.3.20 Let A = 〈Σ, Q,∆, qI ,F〉 be a self-loop alternating au-tomaton. Define the self-loop alternating automaton A′ = 〈Σ, Q,∆′, qI ,F〉,where ∆′ is obtained from ∆ by making the set of acceptance conditions

of all non-self-loops of ∆ empty (formally, ∆′ def=

{〈q,Γ, F,Q′〉 ∈ ∆ q ∈

Q′}∪

{〈q,Γ, ∅, Q′〉〈q,Γ, F,Q′〉 ∈ ∆ for some F ⊆ F , and q /∈ Q′

}). The

automata A and A′ are fin-equivalent.

Proof: Let β = (ei)0≤i<ω ∈ B(G) be an infinite branch through a runG of either of the automata. By Proposition 2.3.18, there exists an index0 ≤ j < ω such that L(ei) is a self-loop of both automata for all j ≤ i < ω,and thus β contains only finitely many edges labeled with non-self-loop tran-sitions. Therefore, none of these transitions can contribute to the accep-tance conditions occurring infinitely often in the labels of the edges of β,i.e., inf(β) = inf

((ei)j≤i<ω

)and fin(β) = fin

((ei)j≤i<ω

). The result now

follows since the definitions of A′ and A differ only in the acceptance condi-tions associated with non-self-loop transitions. �

Example 2.3.21 Consider again the automaton shown in Fig. 2.7. ByCorollary 2.3.20, we can remove all acceptance conditions from the non-self-loop transitions of the automaton. This simplification results in the au-tomaton shown in Fig. 2.8. Because both the original and the simplifiedautomaton have no self-loops starting from the states q3 or q4, these states aretrivially transient. Also the states q2 and q6 are transient, because all self-loopsstarting from these states share a common acceptance condition. Thus, byCorollary 2.3.19, every infinite branch in a fin-accepting run of either au-tomaton converges to one of the states q1, q5, q7 or q8. �


q1

q2 q3 q4

q5 q6

q7 q8

{a}

{a}

{a}

{a}

{a}

{a}

{b}

{b}

{b}

{b}{b}

{c}

{c}

{c}

{a, c} {b, c}

{b, c}

{a, b, c}

Fig. 2.8: The self-loop alternating automaton of Fig. 2.7 after removing acceptanceconditions from its non-self-loop transitions


3 BASIC AUTOMATON TRANSLATION

The languages definable by linear time temporal logic formulas are knownto be recognizable by nondeterministic automata on infinite words, i.e., ev-ery linear time temporal logic formula can be translated into a correspond-ing nondeterministic automaton that accepts its models. This connectionbetween LTL and automata theory has stimulated active research towardsfinding an efficient procedure for translating LTL and its subclasses or exten-sions into automata. The proposed approaches can be roughly divided into(i) procedures based on combining a “local automaton” with an “eventualityautomaton” [Wolper et al. 1983; Vardi and Wolper 1986; Ramakrishna et al.1992b; Vardi and Wolper 1994], (ii) procedures that build on a tableau de-cision procedure for LTL ([Manna and Wolper 1982, 1984; Wolper 1985])[Gerth et al. 1995; Couvreur 1999; Daniele et al. 1999; Somenzi and Bloem2000; Wolper 2001; Giannakopoulou and Lerda 2002; Thirioux 2002], and(iii) translation procedures that build an automaton incrementally by com-bining automata built for subformulas of an LTL formula into more com-plex automata, using nondeterministic [Michel 1985; de Jong 1992; Schnei-der 2001; Fritz 2005] or alternating [Isli 1994, 1996; Vardi 1994; Rohde1997; Manna and Sipma 2000; Gastin and Oddoux 2001; Fritz 2003; Ham-mer et al. 2005] automata as the target formalism. The translation proce-dures have been improved with techniques for the minimization of automata[Etessami and Holzmann 2000; Somenzi and Bloem 2000; Etessami et al.2001, 2005; Etessami 2002; Fritz and Wilke 2002, 2005; Gurumurthy et al.2002] and heuristics for reducing nondeterminism in the generated automata[Thirioux 2002; Sebastiani and Tonetta 2003]. The procedures have alsobeen specialized for LTL safety properties [Geilen 2001; Latvala 2003].

The language of any LTL formula can be recognized by a nondeterminis-tic automaton having exponentially many states in the length of the formula[Wolper et al. 1983; Vardi and Wolper 1994], and this upper bound is tight(see, for example, [Wolper 2001]). Muller et al. [1988] proposed using weakalternating automata as a succinct automata-theoretic formalism for work-ing with many temporal logics, showing (using the extended temporal logicof Wolper [1981, 1983] interpreted over tree models as an example) themto be translatable into automata with only a linear number of states in thelength of a formula; the special case for LTL has since been discussed inmany sources [Isli 1994, 1996; Vardi 1994; Rohde 1997; Manna and Sipma2000; Gastin and Oddoux 2001; Fritz 2003; Hammer et al. 2005]. Althoughall translations from LTL to alternating automata are very similar, they useslightly different strategies for dealing with negations in the input formulas.Common approaches include working directly with the closure of the inputformula [Isli 1994, 1996; Vardi 1994] (i.e., a set of formulas obtained fromthe subformulas of the formula and their negations), rewriting the formulain positive normal form before translation [Manna and Sipma 2000; Gastinand Oddoux 2001; Fritz 2003], or using a complementation procedure foralternating automata [Rohde 1997].

In this chapter we describe a translation from linear time temporal logic toself-loop alternating automata working in fin-acceptance mode. Borrowing

40 3. BASIC AUTOMATON TRANSLATION

ideas from known translation procedures [Rohde 1997; Gastin and Oddoux2001], we use a set of rules to construct a self-loop alternating automatonAϕ that recognizes the language of a given LTL formula ϕ (Sect. 3.1). Thetranslation proceeds in a bottom-up manner by joining automata built recur-sively for subformulas of (the positive normal form of) ϕ into increasinglycomplex automata. This intuitive “modular” approach to building automatawas proposed already in some studies on translating LTL formulas directlyinto nondeterministic automata [Michel 1985; de Jong 1992] (and appliedalso by Schneider [2001] and Fritz [2005]); however, these constructionsare made complicated by the intricacies of working with nondeterministicinfinite word automata in general, such as the difficulty of their complemen-tation. These complexities do not arise when using alternating automata asthe target formalism.

We show that the worst-case number of states in the automaton built usingour translation rules meets the best upper bound known for similar transla-tions presented in the literature (Sect. 3.2) and show the correctness of thetranslation (Sect. 3.3). Although formally only a matter of preference, usingfin-acceptance instead of inf-acceptance (a direct generalization of the ideaof using co-Büchi acceptance as suggested by Gastin and Oddoux [2001])gives a simple explanation for the introduction of new acceptance condi-tions during the translation. Finally, we shall review the connection betweenthe expressiveness of LTL and self-loop alternating automata [Rohde 1997;Löding and Thomas 2000] by discussing a reverse translation from self-loopalternating automata to LTL and analyzing its complexity (Sect. 3.4).

3.1 TRANSLATION RULES

In this section we introduce rules for translating LTL formulas into self-loopalternating automata. We first review the notation that is customarily usedto simplify the representation of transition guards of automata working oninputs over the fixed alphabet 2AP . With this alphabet, the transition guardswill be elements of the set 22AP

, i.e., families of sets of atomic propositions.Since there is a simple correspondence between these families and Booleanformulas, it is convenient to express the guards with these formulas. Morespecifically, for any family Γ = {σ1, σ2, . . . , σn} ∈ 22AP

(0 ≤ n < ω), whereσ ⊆ AP for all 1 ≤ i ≤ n, there exists a characteristic Boolean formulaθΓ, for example, θΓ

def=

∨ni=1

((∧p∈σi

p) ∧ (∧p∈AP\σi

¬p)), such that, given a

subset σ ⊆ AP , σ |= θΓ holds iff σ ∈ Γ; conversely, each Boolean formula θ

is characteristic for the family of its models Γθdef= {σ ⊆ AP | σ |= θ} ∈ 22AP

.Therefore, when considering the runs of an alternating automaton, the factthat σ ∈ Γ holds for some σ ⊆ AP and some guard Γ ∈ 22AP

of sometransition is equivalent to the condition that σ |= θ holds for a characteristicBoolean formula θ of Γ. This notation will be used in further discussionwhenever dealing with automata having the fixed alphabet 2AP .

Let ϕ ∈ LTL(AP) be an LTL formula. By the discussion in Sect. 2.2.3,we may assume that ϕ is in positive normal form (by first replacing ϕ with[ϕ]PNF if necessary). We construct from ϕ an alternating automaton Aϕ byapplying the following rules recursively to the subformulas of ϕ. See Fig. 3.1

3. BASIC AUTOMATON TRANSLATION 41

for illustration on the application of each rule.

Atomic FormulasLet ϕ ∈ {>,⊥} or ϕ ∈ {p,¬p} for some atomic proposition p ∈ AP . The

automaton for ϕ is defined as Aϕ = 〈2AP , Q,∆, qI ,F〉, where Qdef= {qI} for

some new state qI ,

∆def=

{{〈qI , ϕ, ∅, ∅〉

}if ϕ ∈ {>, p,¬p} (p ∈ AP )

∅ otherwise

and Fdef= ∅.

Next TimeLet ϕ = Xϕ1. Given the definition of the automaton Aϕ1 = 〈2AP , Q1,∆1,qI1,F1〉 for the subformula ϕ1, the automaton Aϕ = 〈2AP , Q,∆, qI ,F〉 forϕ has the components

• Qdef= Q1 ∪ {qI} (where qI is a state not included in Q1);

• ∆def= ∆1 ∪

{〈qI ,>, ∅, {qI1}〉

}; and

• Fdef= F1.

Binary ConnectivesLet ϕ = (ϕ1◦ϕ2) for some binary connective ◦ ∈ {∨,∧,Us,Uw,Rs,Rw}. LetAϕ1 = 〈2AP , Q1,∆1, qI1,F1〉 and Aϕ2 = 〈2AP , Q2,∆2, qI2,F2〉 be alreadydefined for the top-level subformulas ϕ1 and ϕ2 of ϕ, respectively, such thatAq,F1∪F2ϕ1

= Aq,F1∪F2ϕ2

holds for all q ∈ Q1 ∩ Q2 (i.e., if the two automatashare a state, then they share all states and transitions reachable from thisstate). The automaton Aϕ = 〈2AP , Q,∆, qI ,F〉 for the formula ϕ is built bydefining

• Qdef= Q1 ∪Q2 ∪ {qI}, where qI is a new state not included in Q1 ∪Q2;

• ∆def= ∆1 ∪ ∆2 ∪ ∆◦; and

• Fdef= F1 ∪ F2 ∪ F◦

where the definitions of ∆◦ and F◦ for each binary connective are given inTable 3.1.

Example 3.1.1 We illustrate the use of the translation rules by building anautomaton for the LTL formula

((GFp1 ∧ GFp2) ∨

(p3 Rw (p4 Rs p5)

))∈ LTL

({p1, . . . , p5}

).

Because we do not have explicit translation rules for the F and G connectives,we first rewrite the subformulas with F or G as their main connective in termsof the basic connectives via the LTL identities

Fϕ ≡ (>Us ϕ) and Gϕ ≡ (⊥Rw ϕ).


qI

ϕ

ϕ ∈ {>, p,¬p} (p ∈ AP)

(a)

qI

⊥

(b)

θ1

A1

θ2

θ3

A2qI1 qI2

(c)

θ1

A1

qI

qI1

>

X

(d)

θ1

θ1

A1θ2

θ2

θ3

A2

qI

qI1 qI2

θ3

∨

(e)

θ1

A1

θ2

θ3

A2

qI

qI1 qI2

(θ1∧θ3)

(θ1∧θ2)

∧

(f)

θ1

θ1

A1θ2

θ2

θ3

A2

qI

qI1 qI2

θ3

Us

(g)

θ1

θ1

A1θ2

θ2

θ3

A2

qI

qI1 qI2

θ3

Uw

(h)

θ1

A1

θ2

θ2

θ3

A2

qI

qI1 qI2

(θ1∧θ2)

(θ1∧θ3)

θ3

Rs

(i)

θ1

A1

θ2

θ2

θ3

A2

qI

qI1 qI2

(θ1∧θ2)

(θ1∧θ3)

θ3

Rw

(j)

Fig. 3.1: Automata built using translation rules. (a) Automaton built from an atomicformula ϕ ∈ {>, p,¬p} (p ∈ AP ); (b) Automaton built for the atomic formula ⊥;(c) Two component automata A1 and A2; (d) Automaton built from A1 with theNext Time rule; (e)–(j) Automata built from A1 and A2 using the translation rulesgiven for the ∨, ∧, Us, Uw, Rs and Rw connectives, respectively


Table 3.1: Definitions of F◦ and ∆◦ for the binary connectives (θ1, θ2 conjunctionsof atomic formulas over AP , F1 ⊆ F1, F2 ⊆ F2, Q′

1 ⊆ Q1, Q′2 ⊆ Q2, and f is

a new acceptance condition not yet used in the application of another translationrule)

◦ F◦ ∆◦

{〈qI , θ1, ∅, Q

′1〉〈qI1, θ1, F1, Q

′1〉 ∈ ∆1

}

∨ ∅∪

{⟨qI , θ2, ∅, Q

′2

⟩〈qI2, θ2, F2, Q

′2〉 ∈ ∆2

}

∧ ∅

{⟨qI , (θ1 ∧ θ2), ∅, Q

′1 ∪Q

′2

⟩ 〈qI1, θ1, F1, Q′1〉 ∈ ∆1,

〈qI2, θ2, F2, Q′2〉 ∈ ∆2

}

{⟨qI , θ1, {f}, Q

′1 ∪ {qI}

⟩〈qI1, θ1, F1, Q

′1〉 ∈ ∆1

}

Us {f}∪

{〈qI , θ2, ∅, Q

′2〉〈qI2, θ2, F2, Q

′2〉 ∈ ∆2

}

{⟨qI , θ1, ∅, Q

′1 ∪ {qI}

⟩〈qI1, θ1, F1, Q

′1〉 ∈ ∆1

}

Uw ∅∪

{〈qI , θ2, ∅, Q

′2〉〈qI2, θ2, F2, Q

′2〉 ∈ ∆2

}

{⟨qI , θ2, {f}, Q

′2 ∪ {qI}

⟩〈qI2, θ2, F2, Q

′2〉 ∈ ∆2

}

Rs {f}∪

{⟨qI , (θ1 ∧ θ2), ∅, Q

′1 ∪Q

′2

⟩ 〈qI1, θ1, F1, Q′1〉 ∈ ∆1,

〈qI2, θ2, F2, Q′2〉 ∈ ∆2

}

{⟨qI , θ2, ∅, Q

′2 ∪ {qI}

⟩〈qI2, θ2, F2, Q

′2〉 ∈ ∆2

}

Rw ∅∪

{⟨qI , (θ1 ∧ θ2), ∅, Q

′1 ∪Q

′2

⟩ 〈qI1, θ1, F1, Q′1〉 ∈ ∆1,

〈qI2, θ2, F2, Q′2〉 ∈ ∆2

}


Thus, the formula can be rewritten as the logically equivalent formula[((

⊥Rw (>Us p1))∧

(⊥Rw (>Us p2)

))∨

(p3 Rw (p4 Rs p5)

)];

this formula is clearly in positive normal form. Because the main connec-tive ∨ of the formula is a binary connective, we first have to find automata

for the formulas ϕdef=

((⊥Rw (>Us p1)

)∧

(⊥Rw (>Us p2)

))and ψ

def=

(p3 Rw (p4 Rs p5)

)before we can apply the translation rule for the ∨ con-

nective. Proceeding recursively towards the subformulas of the formula ϕ,we first build automata shown in Fig. 3.2 (a) for the subformulas ⊥, >, p1

and p2 of ϕ. We can then define automata for the subformulas (>Us p1)and (>Us p2) by applying the translation rule given for the Us connectivefirst to A> and Ap1 , and then to A> and Ap2 ; see Fig. 3.2 (b). Because thesubformulas are strong temporal eventualities, we associate a unique accep-tance condition with each compound automaton. (To simplify these and thefollowing figures, we shall always omit the states not reachable from the ini-tial states of the constructed automata, since they can be removed from theautomata by Proposition 2.3.12 without changing their languages.)

We then apply the Rw translation rule to the automata A⊥ and A(>Us p1),and then to A⊥ and A(>Us p2), to obtain the automata shown in Fig. 3.2 (c).Because Rw is a weak temporal eventuality, no new acceptance conditionsare added to the automata. (Because the automaton A⊥ has no initial tran-sitions, the initial transitions of A(⊥Rw (>Us pi)) are completely determined bythe automaton A(>Us pi) for all i ∈ {1, 2}.)

We next merge the automata built for the top-level subformulas of ϕ intothe automaton shown in Fig. 3.2 (d) for the formula ϕ itself by using the ∧translation rule.

The translation of the subformula(p3 Rw (p4 Rs p5)

)proceeds similarly.

We start from the automata built for the atomic subformulas (see Fig. 3.3 (a))and apply the Rs translation rule to Ap4 and Ap5 to obtain an automaton forthe formula (p4 Rs p5) (Fig. 3.3 (b)). Again, because (p4 Rs p5) is a strongtemporal eventuality, we add a new acceptance condition to the automaton.We then apply the Rw rule to Ap3 and A(p4 Rs p5) to construct an automatonfor the formula ψ (Fig. 3.3 (c)).

We finally apply the ∨ translation rule to Aϕ and Aψ to build the automa-ton shown in Fig. 3.4 for the formula

[((⊥Rw (>Us p1)

)∧

(⊥Rw (>Us p2)

))∨

(p3 Rw (p4 Rs p5)

)].

�

3.1.1 Simple Observations

Correspondence between node subformulas of ϕ and states of Aϕ. Theconstruction of an automaton Aϕ for the given LTL formula ϕ (in positivenormal form) is guided by the structure of ϕ, which completely determinesthe set of rules that need be applied for translating the formula into an au-tomaton. Even though the particular application order of the rules may re-main partially unspecified (i.e., automata for any pair of subformulas of ϕ


A⊥

>

A>

p1

Ap1

p2

Ap2

(a)

>p1

A(>Us p1)

> p2

A(>Us p2)

(b)

>

>p1

p1

A(⊥ Rw (>Us p1))

>

> p2

p2

A(⊥ Rw (>Us p2))

(c)

> >

(> ∧ p2) (p1 ∧ >)

>p1

p1

p2

(p1 ∧ p2)

p2(> ∧>)

>

Aϕ

(d)

Fig. 3.2: Building an automaton for the LTL formula ϕdef=

((⊥Rw (>Us p1)

)∧

(⊥Rw (>Us p2)

)). (a) Automata for the atomic subformulas of ϕ; (b) Au-

tomata for the formulas (>Us p1) and (>Us p2); (c) Automata for the formulas(⊥Rw (>Us p1)

)and

(⊥Rw (>Us p2)

); (d) Automaton for the formula ϕ

p3

Ap3

p4

Ap4

p5

Ap5

p5(p4 ∧ p5)

A(p4 Rs p5)

p5 (p3 ∧ p5)

(p3 ∧ (p4 ∧ p5)

)

p5(p4 ∧ p5)

(p4 ∧ p5)

Aψ

(a) (b) (c)

Fig. 3.3: Building an automaton for the formula ψdef=

(p3 Rw (p4 Rs p5)

). (a) Au-

tomata for the atomic subformulas of ψ; (b) Automaton for the formula (p4 Rs p5);(c) Automaton for the formula ψ


> >

(> ∧ p2)(p1 ∧ >)

>p1

p1

p2

(p1 ∧ p2)

p2(> ∧>)

>(p3 ∧ p5)

(p3 ∧ (p4 ∧ p5)

)

p5

(p4 ∧ p5)

(p4 ∧ p5)

(p3 ∧ p5)

(p3 ∧ (p4 ∧ p5)

)

p5(p4 ∧ p5)

p5

Fig. 3.4: Automaton for the LTL formula[((

⊥Rw (>Us p1))∧

(⊥Rw (>Us p2)

))∨

(p3 Rw (p4 Rs p5)

)]

that do not share any subformulas can be constructed in either order), au-tomata built for two syntactically identical subformulas of ϕ are neverthelesseasily seen to be isomorphic (i.e., one can be obtained from the other by re-naming its states and acceptance conditions). It is therefore possible to reusethe structure of the automata constructed during the translation by direct-ing the transitions added in the application of a translation rule to previouslyadded states whenever possible. Because the recursive translation rules treatthe atomic subformulas of ϕ as the base case, it follows that the numberof rule applications required equals the number of node subformulas of ϕ.Therefore, because NSub(ϕ) is finite, the translation always terminates, and,because each step of the translation adds exactly one new state to the result,there is a bijective correspondence between NSub(ϕ) and the set of states inthe automaton built for the formula ϕ.

Interpretation of the translation rules. The correspondence betweenNSub(ϕ) and the states of the automaton Aϕ gives a simple interpretationof each translation rule. Intuitively, each translation rule gives instructionson how to recognize the language of an LTL formula ϕ by either giving an au-tomaton for ϕ directly (the rules for the atomic formulas), or describing howto run the automata built for the top-level subformula(s) of a non-atomic for-mula ϕ to recognize the language L(ϕ). Thus, for example, the translationrule for constructing an automaton A(ϕ1∧ϕ2) for the language L

((ϕ1 ∧ ϕ2)

)

interprets to first building the automata Aϕ1 and Aϕ2 for the languages L(ϕ1)and L(ϕ2) and then creating an automaton that, in effect, runs Aϕ1 and Aϕ2

in parallel on any given input. The translation rule makes the first admissi-ble transition in any run of A(ϕ1∧ϕ2) mimic a pair of initial transitions takensynchronously by each of the component automata. As a result, the initialtransition in any run of A(ϕ1∧ϕ2) corresponds to spawning both Aϕ1 and Aϕ2

on the same input. However, since this initial transition already synchronizesby itself with the first symbol of the input, the target states of the transitionneed be adjusted so that the set of copies of the automaton which are activeafter the transition matches the copies of Aϕ1 and Aϕ2 that would be activeafter a synchronous pair of initial transitions. This is the reason for not in-cluding the initial states of the component automata in the target states of


the initial transitions of A(ϕ1∧ϕ2) unless the transitions are self-loops, whichare thus unrolled in the application of the translation rule.

A corresponding adjustment of target states is needed for defining the ini-tial transitions of automata built for any other connective, except for the NextTime operator X; namely, the purpose of the Next Time translation rule is tomodify an automaton built for an LTL formula ϕ into an automaton that, ineffect, postpones the checking of ϕ by one initial step.

For the binary temporal connectives Us and Uw, the definition of ∆◦ inthe translation rules is a direct automata-based encoding of the well-knownLTL identity

(ϕ1 Uϕ2) ≡(ϕ2 ∨

(ϕ1 ∧ X(ϕ1 Uϕ2)

))

where U is an Until connective of the same strength on both sides of theidentity. Thus, for example, the translation of the formula (ϕ1 Us ϕ2) into anautomaton corresponds to first building automata for the top-level subformu-las and then joining them into an automaton that verifies that either ϕ2 holdsin the infinite suffix of the input beginning at the current input position, orthat ϕ1 holds in this suffix and (ϕ1 Us ϕ2) still holds in the infinite suffix be-ginning at the next input position. In the latter case, the automaton spawnstwo independent copies of itself, one of which checks whether the infinitesuffix beginning at the current input position belongs to L(ϕ1), whereas theother proceeds to check whether (ϕ1 Us ϕ2) still holds from the next inputposition onward.

The rules for the Release connectives can be derived from the rules intro-duced for the ∧ and Until connectives via the identities

(ϕ1 Rs ϕ2) ≡(ϕ2 Us (ϕ1 ∧ ϕ2)

)and (ϕ1 Rw ϕ2) ≡

(ϕ2 Uw (ϕ1 ∧ ϕ2)

).

Formally, the combination of the rules introduced for the ∧ and the Untilconnectives defines an automaton with a state that is unreachable from theinitial state of the automaton, namely, the initial state of the automaton con-structed for the formula (ϕ1∧ϕ2). However, this state can be safely discardedby Proposition 2.3.12 without changing the language of the automaton. Thissimplification then gives the direct rules shown in Table 3.1.

Loop structure. Building an automaton for a compound formula ϕ fromone or two component automata constructed for the top-level subformula(s)of ϕ is done by taking a new initial state for the automaton and then addingtransitions from this state to itself and the states of the component automataas instructed by the translation rules. Since no rule manipulates the tran-sition relation of any component automaton, it follows (by induction) thatevery state q of the automaton Aϕ constructed for an LTL formula ϕ willalways remain unreachable from all of its descendants except possibly q it-self. Thus, all loops in the transition structure of the final automaton willbe self-loops, which may arise in the application of the translation rules tosubformulas of ϕ with a binary temporal main connective. By these observa-tions, it follows that the automaton constructed by the translation rules is aself-loop alternating automaton.


Structure of transition guards. The guard of the only transition in an au-tomaton built for any atomic formula different from ⊥ is simply the formulaitself, encoding the subsets of AP that satisfy it: for >, all subsets of AP ;for literals, all subsets of AP that (for negative literals, do not) include theproposition in the literal. The guards of the initial transitions of any com-pound automaton are either > (the Next Time operator), or they are builtfrom the guards of the initial transitions of the component automata. It iseasy to see that each new transition either inherits its guard directly fromanother transition, or the guard is built as the conjunction of two previouslydefined guards. By induction, it follows that all guards in the final automatonwill be finite conjunctions of one or more atomic formulas, corresponding tofinite intersections of one or more subsets of 2AP by the semantics of ∧. Thisvery restricted form allows for efficient checking of propositional implica-tions between the guards, which is needed for the automaton simplificationconstructions discussed in Ch. 6.

Acceptance conditions. New acceptance conditions are introduced to theconstructed automaton whenever applying one of the translation rules to asubformula having either of the strong binary temporal operators (Us or Rs) asits main connective. Intuitively, because the conditions are interpreted as fin-acceptance conditions, they will prevent the automaton from remaining in astate corresponding to an unsatisfied strong temporal eventuality indefinitelyalong any path through a fin-accepting run of the automaton. Therefore, theacceptance of an input requires the eventual satisfaction of each strong tem-poral eventuality along the input as required by the semantics of the strongtemporal operators. This intuition will be made formal in the correctnessproof of Sect. 3.3.

As seen from the translation rules, the transitions added to the automatonat each step never inherit any acceptance conditions from previously definedtransitions. Since each translation rule adds at most one acceptance condi-tion to the automaton, it follows that the set of acceptance conditions of eachtransition of the final automaton will be either an empty or a singleton set.Since all transitions with a nonempty set of acceptance conditions are self-loops of the automaton, the final automaton is easily seen to be constructedsimplified in the sense of Corollary 2.3.20. Additionally, it is easy to see fromthe translation rules that all transitions of the final automaton having a partic-ular acceptance condition in their set of acceptance conditions always havethe same source state.1

1Actually, this fact can be used (together with Proposition 2.3.18) to show that it is notnecessary to associate a unique acceptance condition with each strong temporal eventual-ity, i.e., all eventualities could share the same acceptance condition as in the translation ofGastin and Oddoux [2001]. We shall not do this here, however, since the correctness ofmany heuristics for improving the translation (to be presented in the following chapters) re-lies on the strict correspondence between acceptance conditions and temporal eventualities.


3.2 SIZES OF COMPONENTS IN AN AUTOMATON BUILT FROM AN LTL FOR-

MULA

In this section we consider upper bounds for sizes of components of anautomaton built from (the positive normal form) of an LTL formula ϕ ∈LTL(AP). The sizes of the components of the subautomaton AqI

ϕ rooted atthe initial state of the automaton Aϕ (built from [ϕ]PNF using the translationrules of Sect. 3.1) satisfy the inequalities

• |Q| ≤ 1 + Temp([ϕ]PNF

)≤ 1 + 2 · |Temp(ϕ)| (Sect. 3.2.1),

• |∆| ≤ 2NSize([ϕ]PNF)−1 < 22·|ϕ|−1 (Sect. 3.2.2), and

• |F| ≤{(ϕ1 ◦ ϕ2) ∈ Sub([ϕ]PNF) : ◦ ∈ {Us,Rs}

}. (Sect. 3.2.3)

3.2.1 Number of States

As noted previously, an LTL formula ϕ (in positive normal form) can betranslated into an automaton in |NSub(ϕ)| applications of a translation rule.Since the rules build the automaton one state at a time, the translation endsafter exactly |NSub(ϕ)| states have been defined. Therefore, the size ofNSub(ϕ) also gives a simple upper bound for the number of states in anautomaton recognizing the language of the formula ϕ.

As seen already in Ex. 3.1.1, the application of a translation rule to de-fine an alternating automaton from smaller component automata may leavesome states in the component automata unreachable from the initial stateof the newly constructed automaton. However, this fact is not taken into ac-count when using the number of translation steps as an upper bound for thenumber of states in an automaton Aϕ built for a given LTL formula. Becausethe language of an alternating automaton depends only on those states of theautomaton that are actually reachable from the initial state of the automa-ton (Proposition 2.3.12), a tighter bound can be given by considering thenumber of states in the subautomaton AqI

ϕ obtained from the result of thetranslation by restricting it to the smallest set of states that includes the stateqI and the states actually reachable from qI . For this purpose, we examine thetranslation rules to find the exact conditions under which a state introducedduring the translation will still be reachable from the initial state of the finalautomaton.

Each translation rule for building a compound automaton either adds atransition to an initial state of a component automaton (the Next Time rule),or it uses the initial transitions of the component automata as a basis fordefining the initial transitions of the compound automaton (rules for the bi-nary connectives). It is clear from the translation rules that all target states ofeach initial transition of a component automaton will be included as targetstates of some transition of the compound automaton. Additionally, sincenone of the rules ever change—or even refer to—the non-initial transitionsof any component automaton, it follows that a state reachable from the initialstate of a component automaton will remain reachable from the initial stateof any automaton obtained from it by any number of translation rules. Byexamining the translation rules, we find that the initial state qI of some com-ponent automaton will still be included in the subautomaton rooted at the


initial state of the final automaton at least if it satisfies one of the followingconditions:

• qI is the initial state of the final automaton built for the LTL formulaϕ. Clearly, because qI is the last state to be added into the automaton,the final automaton is never used as a component automaton in anytranslation rule.

• qI has a self-loop transition to itself, which is possible (by the definitionof the translation rules) only if qI is the initial state of an automatonbuilt for a binary pure temporal subformula (i.e., a subformula witheither Us, Uw, Rs or Rw as its main connective).

• qI is the initial state of an automaton corresponding to a subformulaϕ1, and Xϕ1 ∈ NSub(ϕ). (Since Xϕ1 ∈ NSub(ϕ), the Next Time rulewill be applied to the automaton Aϕ1 in the translation; the applicationof the rule then results in an automaton with an initial transition to qI .)

We show that the three above conditions actually describe the exact set ofstates in the subautomaton rooted at the initial state of the final automaton.Assume that qI is the initial state of an automaton (corresponding to a formulaϕ1 ∈ NSub(ϕ)) such that qI satisfies none of the above conditions. Then, ϕhas a non-atomic compound subformula with ϕ1 as a top-level subformula.Because Xϕ1 /∈ NSub(ϕ), all such subformulas are binary subformulas of ϕ.Let ϕ′ be any of these formulas. When a translation rule is applied to con-struct the automaton Aϕ′ , the state qI will not be connected to the initial stateof Aϕ′ , because qI has no self-loop transitions. Because Xϕ1 /∈ NSub(ϕ), itfollows that qI cannot be connected to the initial state of another automatonconstructed later in the procedure, and thus qI will remain unreachable fromthe initial state of the final automaton. We have thus proved the followingresult:

Proposition 3.2.1 Let Aϕ be the alternating automaton built for the LTLformula ϕ ∈ LTLPNF(AP) using the translation rules, and let AqI

ϕ (withstate set Q) be the subautomaton rooted at the initial state of Aϕ. Then,

|Q| ={ϕ}∪

{(ϕ1 ◦ ϕ2) ∈ NSub(ϕ) : ◦ ∈ {Us,Uw,Rs,Rw}

}

∪{ϕ1 ∈ NSub(ϕ) : Xϕ1 ∈ NSub(ϕ)

}

This result leads to the following upper bound for the number of states in analternating automaton constructed from any LTL formula (that is not neces-sarily in positive normal form). The upper bound is essentially the same asthe one that is implicit in the translation of Gastin and Oddoux [2001].

Corollary 3.2.2 Let ϕ ∈ LTL(AP) be any LTL formula built from the ele-ments of AP , the Boolean constants > and ⊥, and the connectives {¬,∨,∧,X,Us,Uw,Rs,Rw}. The language of the formula ϕ can be recognized by analternating automaton on the alphabet 2AP with at most 1+ Temp

([ϕ]PNF

)

≤ 1 + 2 · |Temp(ϕ)| states (1 + |Temp(ϕ)| states, if ϕ itself is in positive nor-mal form). (If ϕ is a binary pure temporal formula, the upper bound reducesto Temp

([ϕ]PNF

)states.)


Proof: As noted in Sect. 2.2.3, the formula [ϕ]PNF (which is in positive nor-mal form) has at most twice as many pure temporal subformulas as ϕ, i.e.,Temp

([ϕ]PNF

)≤ 2 · |Temp(ϕ)|, and L

([ϕ]PNF

)= L(ϕ). By applying

the translation to [ϕ]PNF, the result follows directly from Proposition 3.2.1 byobserving that

{(ϕ1 ◦ ϕ2) ∈ NSub

([ϕ]PNF

): ◦ ∈ {Us,Uw,Rs,Rw}

}

∪{ϕ1 ∈ NSub

([ϕ]PNF

): Xϕ1 ∈ NSub

([ϕ]PNF

)} ≤ Temp([ϕ]PNF

).

�

3.2.2 Number of Transitions

By Corollary 3.2.2, any LTL formula can be translated into an alternatingautomaton with a linear number of states in the number of pure temporalsubformulas in the formula. However, it is not difficult to see that there isa price to pay for the explicit representation of transitions: an automatonbuilt using the translation rules may have exponentially many transitions inthe length of the formula in the worst case. First, it is easy to show thatthe number of transitions defined in the translation of (the positive normalform of) an LTL formula ϕ ∈ LTL(AP) into an automaton is exponentiallybounded by NSize

([ϕ]PNF

):

Proposition 3.2.3 Let Aϕ be an alternating automaton built from (the pos-itive normal form of) an LTL formula ϕ ∈ LTL(AP) using the translationrules presented in Sect. 3.1. The automaton Aϕ has at most 2NSize([ϕ]PNF)−1 <22·|ϕ|−1 transitions.

Proof: We first prove the result for formulas in positive normal form. Let

ϕ ∈ LTLPNF(AP), and let ∆ be the set of transitions of Aϕ. If NSize(ϕ) = 1,then ϕ is an atomic formula. By the translation rules, ∆ contains at most oneelement, and because 2NSize(ϕ)−1 = 20 = 1, the result holds in this case.

Assume that the result holds for all LTL formulas whose node size is lessthan or equal to some fixed 1 ≤ k < ω, and let ϕ be a compound formulawith node size k + 1. Then, ϕ = Xϕ1 or ϕ = (ϕ1 ◦ ϕ2) for some ◦ ∈{∨,∧,Us,Uw,Rs,Rw} and ϕ1, ϕ2 ∈ LTLPNF(AP) such that NSize(ϕ1) ≤ kand NSize(ϕ2) ≤ k hold. Let A1 = 〈2AP , Q1,∆1, qI1,F1〉 and A2 =〈2AP , Q2,∆2, qI2,F2〉 be the automata built using the translation rules forthe formulas ϕ1 and ϕ2, respectively. Additionally, let ∆qI1

1 ⊆ ∆1 and ∆qI22 ⊆

∆2 denote the initial transitions of A1 and A2, respectively (i.e., ∆qIii

def={

〈q, θ, F,Q′〉 ∈ ∆i q = qIi}

for all i ∈ {1, 2}). There are the followingcases:

(ϕ = Xϕ1)

|∆| = |∆1| + 1 (translation rule for the X connective)

≤ 2NSize(ϕ1)−1 + 1 (induction hypothesis)

≤ 2NSize(ϕ1)−1 + 2NSize(ϕ1)−1 (NSize(ϕ1) ≥ 1)

= 2NSize(ϕ1)

= 2NSize(ϕ)−1 (definition of NSize(ϕ))


(ϕ = (ϕ1 ◦ ϕ2), ◦ ∈ {∨,Us,Uw})

|∆| ≤ |∆1| + |∆2| + |∆qI11 | + |∆qI2

2 | (translation rules)

≤ |∆1| + |∆2| + |∆1| + |∆2|= 2 ·

(|∆1| + |∆2|

)

≤ 2 ·(2NSize(ϕ1)−1 + 2NSize(ϕ2)−1

)(induction hypothesis)

= 2NSize(ϕ1) + 2NSize(ϕ2)

≤ 2NSize(ϕ1) · 2NSize(ϕ2) (NSize(ϕ1),NSize(ϕ2) ≥ 1)

= 2NSize(ϕ1)+NSize(ϕ2)


(ϕ = (ϕ1 ∧ ϕ2))

|∆| ≤ |∆1| + |∆2| + |∆qI11 | · |∆qI2

2 | (translation rules)

≤ |∆1| + |∆2| + |∆1| · |∆2|≤ 2NSize(ϕ1)−1 + 2NSize(ϕ2)−1 + 2NSize(ϕ1)−1 · 2NSize(ϕ2)−1

(induction hypothesis)

≤ 22 · 2NSize(ϕ1)−1 · 2NSize(ϕ2)−1 (NSize(ϕ1),NSize(ϕ2) ≥ 1)



(ϕ = (ϕ1 ◦ ϕ2), ◦ ∈ {Rs,Rw})

|∆| ≤ |∆1| + |∆2| + |∆qI22 | + |∆qI1

1 | · |∆qI22 | (translation rules)

≤ |∆1| + |∆2| + |∆2| + |∆1| · |∆2|≤ 2NSize(ϕ1)−1 + 2 · 2NSize(ϕ2)−1 + 2NSize(ϕ1)−1 · 2NSize(ϕ2)−1

(induction hypothesis)

≤ 22 · 2NSize(ϕ1)−1 · 2NSize(ϕ2)−1 (NSize(ϕ1),NSize(ϕ2) ≥ 1)



By induction on |ϕ|, it follows that the automaton built from any formula ϕ ∈LTLPNF(AP) using the translation rules has at most 2NSize(ϕ)−1 transitions. Ifϕ ∈ LTL(AP) is not in positive normal form, then the result follows becauseNSize([ϕ]PNF) < 2 · |ϕ| holds. �

On the other hand, for every 1 ≤ n < ω, it is possible to find an LTLformula ϕ such that NSize(ϕ) ∈ O(n) holds, but an automaton built from ϕusing the translation rules has 2O(n) transitions (even when restricted to thesubautomaton rooted at its initial state).

Example 3.2.4 Let {ϕn}1≤n<ω (where ϕn is an LTL formula over n atomicpropositions {p1, p2, . . . , pn} for all 1 ≤ n < ω) be a set of LTL formulasdefined inductively as

ϕ1def= (>Us p1), and

ϕn+1def=

(ϕn ∧ (>Us pn+1)

)for all 1 ≤ n < ω.

Clearly, ϕn is in positive normal form for all 1 ≤ n < ω, and NSize(ϕn) =4n − 1 ∈ O(n) holds for all 1 ≤ n < ω (NSize(ϕ1) = NSize

((>Us p1)

)=

3 = 4 · 1 − 1, and if NSize(ϕk) = 4k − 1 holds for some 1 ≤ k < ω, thenNSize(ϕk+1) = 1 + NSize(ϕk) + NSize

((>Us pk+1)

)= 1 + (4k − 1) + 3 =

4(k + 1) − 1).Let qIn be the initial state of Aϕn . By Proposition 3.2.3, Aϕn has at most

2NSize(ϕn)−1 ∈ 2O(n) transitions. We show that Aϕn has at least 2n initial


transitions. It is easy to see that the automaton built for any of the subformulasof the form (>Us pn) using the translation rules has two initial transitions. IfAϕk

has 2k initial transitions for some 1 ≤ k < ω, then Aϕk+1has 2k · 2 =

2k+1 initial transitions by the definition of the translation rule given for the ∧connective. Obviously, these transitions remain in the subautomaton rootedat the initial state of Aϕk+1

, and it follows that AqInϕn has 2O(n) transitions for

all 1 ≤ n < ω. �

From the above example it follows that the result of the translation proce-dure from LTL to self-loop alternating automata based on the rules presentedin Sect. 3.1 may need exponential space in the node size of the given formulain the worst case. Clearly, the translation will in such cases require also atleast exponential time in the node size of the formula. This worst-case behav-ior is caused by the cumulative effect of applying translation rules defined forthe ∧ and R connectives to LTL formulas containing nested occurrences ofthese connectives: to define the initial transitions in a compound automatonbuilt using one of these rules, it is always necessary to enumerate all pairwisecombinations of initial transitions of the component automata.

3.2.3 Number of Acceptance Conditions

Let Aϕ = 〈2AP , Q,∆, qI ,F〉 be a self-loop alternating automaton built forthe positive normal form of an LTL formula ϕ ∈ LTL(AP) using the trans-lation rules. As noted already at the end of Sect. 3.1, new acceptance condi-tions are introduced during the translation whenever applying a translationrule to a subformula corresponding to a strong temporal eventuality (i.e., aformula with Us or Rs as its main connective), and thus

|F| ≤{(ϕ1 ◦ ϕ2) ∈ Sub([ϕ]PNF) : ◦ ∈ {Us,Rs}

}.

3.3 CORRECTNESS OF THE TRANSLATION

In this section we show the correctness of the translation. We start by provinga lemma that characterizes fin-acceptance in a self-loop alternating automa-ton built using the translation rules for an LTL formula having Us or Uw

as its main connective and establishes a direct correspondence between thesemantics of LTL and the behavior of these automata.

Lemma 3.3.1 Let ϕ = (ϕ1 ◦ ϕ2) ∈ LTLPNF(AP) (◦ ∈ {Us,Uw}), and letA = 〈2AP , Q,∆, qI ,F〉, A1 = 〈2AP , Q1,∆1, qI1,F1〉 and A2 = 〈2AP , Q2,∆2, qI2,F2〉 be the self-loop alternating automata constructed using the trans-lation rules for ϕ, ϕ1 and ϕ2, respectively. For all w ∈ (2AP)ω,

A fin-accepts w iff there exists an index 0 ≤ i < ω such that A2 fin-accepts wi, and for all 0 ≤ j < i, A1 fin-accepts wj

or◦ = Uw, and A1 fin-accepts wi for all 0 ≤ i < ω.

Proof: (Only if) Assume that A fin-accepts w ∈ (2AP)ω. Then, A has a

fin-accepting run G = 〈V,E, L〉 on w. By Proposition 2.3.7, there exists


an index 0 ≤ i ≤ ω and a chain of edges (ej)0≤j<i+1, ej = 〈vj , V′j 〉 ∈

E ∩ (Vj × 2Vj+1), such that L(ej) is an initial self-loop of A for all 0 ≤ j < i,and if i < ω, then L(ei) is an initial transition of A that is not a self-loop.

Because L(ej) is an initial self-loop of A for all 0 ≤ j < i, it follows fromthe translation rules that for each such self-loop there exists a correspondinginitial transition of A1 for all 0 ≤ j < i. Furthermore, if i < ω, the transitionL(ei) (which is not a self-loop of A) corresponds to some initial transition ofA2. Let 0 ≤ j < i+ 1, and let L(ej) = L

(〈vj, V

′j 〉

)= t = 〈qI , θ, F,Q

′〉 ∈ ∆for some θ ∈ PL(AP), F ⊆ F and Q′ ⊆ Q. Because G is a run, w(j) |= θand Q′ = L(V ′

j ) hold. We consider the above two cases separately.

• If t is a self-loop of A, there exists a transition 〈qI1, θ, F1, Q′1〉 ∈ ∆1 for

some F1 ⊆ F1 and Q′1 ⊆ Q1 such that Q′ = Q′

1 ∪ {qI} holds.

BecauseG is fin-accepting, each subautomaton AL(v′) has a fin-accept-ing run on wj+1 = (wj)1 for all v′ ∈ V ′

j by Proposition 2.3.9, and

because Q′1 ⊆ Q′ = L(V ′

j ) holds and Lfin(Aq′) = Lfin(A

q′,F1) =

Lfin(Aq′

1 ) holds for all q′ ∈ Q1, Aq′

1 has a fin-accepting run on wj+1

for all q′ ∈ Q′1. Moreover, because w(j) = (wj)(0) |= θ holds,

Proposition 2.3.15 shows that A1 has a fin-accepting run on wj.

• If t is not a self-loop of A, then t corresponds to an initial transi-tion 〈qI2, θ, F2, Q

′〉 ∈ ∆2 of A2 for some F2 ⊆ F2, and thus Q′ ⊆Q2 holds. Similarly to the self-loop case, the subautomaton AL(v′),

which is fin-equivalent to AL(v′)2 , fin-accepts wj+1 for all v′ ∈ V ′

j byProposition 2.3.9. Because Q′ = L(V ′

j ) and w(j) |= θ hold, it followsthat A2 fin-accepts wj (Proposition 2.3.15).

Thus, because L(ej) is a self-loop of A for all 0 ≤ j < i, it follows thatA1 fin-accepts wj for all 0 ≤ j < i, and furthermore, if i < ω, then A2

fin-accepts wi by the above discussion. It remains to show that the case i = ωis impossible if ◦ = Us. If this were the case, then β = (ej)0≤j<i would bean infinite branch in G having all of its edges labeled with initial self-loopsof A. However, because all of these self-loops share a common acceptancecondition if ◦ = Us, fin(β) would be nonempty, which would contradict theassumption that G is a fin-accepting run of A on w. Therefore, if ◦ = Us,then i < ω holds, and the result follows.

(If) Assume that there either exists an index 0 ≤ i < ω such that A2 fin-

accepts wi and for all 0 ≤ j < i, A1 fin-accepts wj, or that ◦ = Uw holds,and A1 fin-accepts wi for all 0 ≤ i < ω. That is, assume that there exists anindex 0 ≤ i ≤ ω such that A1 fin-accepts wj for all 0 ≤ j < i, and if i < ω,then A2 fin-accepts wi.

By Proposition 2.3.15, the automaton A1 has an initial transition tj,1 =〈qI1, θj,1, Fj,1, Q

′j,1〉 ∈ ∆1 for some θj,1 ∈ PL(AP), Fj,1 ⊆ F1 and Q′

j,1 ⊆ Q1

for all 0 ≤ j < i such that w(j) |= θj,1 holds, and Aq′

1 fin-accepts wj+1 for allq′ ∈ Q′

j,1. Additionally, if i < ω holds, an analogous result holds for an initialtransition ti,2 = 〈qI2, θi,2, Fi,2, Q

′i,2〉 ∈ ∆2 of A2.

By the definition of A, there now exists a transition tj = 〈qI , θj, Fj , Q′j〉 ∈

∆, where θj = θj,1, Fj = {f} for some new acceptance condition f (◦ = Us)


w(0) w(1) w(2) w(3) w(4) w(5)

v0

v0,1

v0,2

v1

v1,1

v2

v2,1

v3

v3,1

v3,2

v4 v5 v5,1

v5,2

(a)

w(0) w(1) w(2) w(3) w(4) w(5)

qI

q0,1

q0,2

qI

q1,1

qI

q2,1

qI

q3,1

q3,2

qI qI q5,1

q5,2

θ0

θ1 θ2 θ3 θ4 θ5

(b)

Fig. 3.5: Construction of a semi-run in Lemma 3.3.1 (◦ = Us, i = 5). (a) Node andedge structure; (b) Labeling of nodes and edges

or Fj = ∅ (◦ = Uw), and Q′j = Q′

j,1 ∪ {qI} for all 0 ≤ j < i. Furthermore, ifi < ω holds, then there exists also a transition ti = 〈qI , θi, ∅, Q

′i〉 ∈ ∆, where

θi = θi,2 and Q′i = Q′

i,2. It is easy to see that, for all 0 ≤ j < i + 1 and

q′ ∈ Q′j \ {qI}, w(j) |= θj holds, and Aq′ fin-accepts wj+1 (because Q′

j \

{qI} = Q′j,1 ⊆ Q1 and wj+1 ∈ Lfin(A

q′

1 ) = Lfin(Aq′,F1∪F1 ) = Lfin(A

q′) holdfor all 0 ≤ j < i and q′ ∈ Q′

j,1 by the definition of A; an analogous resultholds for Q′

i,2 and the automaton A2 if i < ω holds). Using the transitions tj ,we define a fin-accepting semi-run of A on w.

(Definition of G) Write Q′j \ {qI} = {qj,1, qj,2, . . . , qj,nj

} ⊆ Q for all 0 ≤j < i + 1 (0 ≤ nj < ω, qj,k 6= qj,` for all 1 ≤ k, ` ≤ nj , k 6= `). Define thegraph G = 〈V,E, L〉, where

• V0def= {v0}, Vj+1

def= {vj+1, vj,1, . . . , vj,nj

} for all 0 ≤ j < i, and if

i < ω, let Vi+1def= {vi,1, . . . , vi,ni

} and Vjdef= ∅ for all i+ 1 < j < ω;

• Edef=

⋃0≤j<i+1

{〈vj , Vj+1〉

};

• L(vj)def= qI , L(vj,k)

def= qj,k, and L

(〈vj , Vj+1〉

)def= tj for all 0 ≤ j < i+1

and 1 ≤ k ≤ nj.

Figure 3.5 illustrates a possible structure for G with ◦ = Us and i = 5.

(G is a fin-accepting semi-run of A on w) We check that G is a fin-accept-ing semi-run of A on w.

(Partitioning) V0 = {v0}, and V is partitioned into finite disjoint levels(with edges only between successive levels) by construction.

(Causality) Let v ∈ Vj for some 0 ≤ j < ω. Then v either has nooutgoing edges, or v = vj . In this case vj has the unique outgoing edgee = 〈vj , Vj+1〉 ∈ E. On the other hand, if v ∈ Vj for some 1 ≤ j < ω,then v is a successor of the node vj−1 ∈ Vj−1. It follows that G satisfiesboth the forward semi-causality and the backward causality constraints.

(Consistency of L) Clearly, L(v0) = qI holds. Let e ∈ E. By construc-tion, e = 〈vj , Vj+1〉 holds for some 0 ≤ j < i + 1. Because L(e) = tj =〈qI , θj , Fj, Q

′j〉 =

⟨L(vj), θj , Fj, L(Vj+1)

⟩∈ ∆ and w(j) |= θj hold, it

follows that the labeling L is consistent.

(Acceptance) If i < ω, then the edge set E is finite. Therefore B(G) =

∅, and G is trivially fin-accepting. Otherwise G contains a unique infinitebranch, all edges in which are labeled with initial self-loops of A. Because


i = ω implies that ◦ = Uw, the set of acceptance conditions of each initialself-loop of A is empty. It follows that the branch is fin-accepting, andthus G is a fin-accepting semi-run of A on w.

(G can be extended into a fin-accepting run) Let v ∈ V be a node in G

with no outgoing edges. Then v = vj,k ∈ Vj+1 holds for some 0 ≤ j < i+ 1and 1 ≤ k ≤ nj . Because L(v) ∈ Q′

j \ {qI} holds, and because Aq′ fin-accepts wj for all q′ ∈ Q′

j \ {qI}, it follows that G can be extended into afin-accepting run of A on w by Proposition 2.3.14, and thus w ∈ Lfin(A)holds. �

Using the above lemma together with Proposition 2.3.15, we can now givea simple inductive proof of the correctness of the translation.

Theorem 3.3.2 Let ϕ ∈ LTLPNF(AP) be an LTL formula in positive nor-mal form, and let Aϕ be an automaton constructed from ϕ using the transla-tion rules. For all w ∈ (2AP)ω, Aϕ fin-accepts w iff w |= ϕ holds.

Proof: We proceed by induction on the node size of the formula ϕ. IfNSize(ϕ) = 1, ϕ is an atomic formula. If ϕ = ⊥, then it is easy to see fromthe definition of Aϕ that Aϕ has no runs on any input, and thus Lfin(Aϕ) =∅ = L(⊥). Otherwise Aϕ has exactly one initial transition (with guard ϕ),and it follows from Proposition 2.3.15 that Aϕ has a fin-accepting run on wiff w(0) |= ϕ holds, which is equivalent to w |= ϕ in this case, because ϕ is aBoolean formula.

Assume that the result holds for all LTL formulas (in positive normal form)of node size less than or equal to some fixed 1 ≤ k < ω, and let ϕ be a non-atomic LTL formula in positive normal form such that NSize(ϕ) = k + 1.We split the proof in separate cases based on the main connective of ϕ:

(ϕ = Xϕ1)

Aϕ fin-accepts w

iff there exists a transition 〈qI , θ, F,Q′〉 ∈ ∆ such that w(0) |= θ and for

all q ∈ Q′, Aqϕ fin-accepts w1 (Proposition 2.3.15)

iff w(0) |= > and Aϕ1 fin-accepts w1 (definition of Aϕ)

iff w(0) |= > and w1 |= ϕ1 (induction hypothesis)

iff w |= Xϕ1 (semantics of LTL)

(ϕ = (ϕ1 ∨ ϕ2))

Aϕ fin-accepts w



iff there exists a transition 〈qI1, θ1, F1, Q′1〉 ∈ ∆1 such that w(0) |= θ1

and for all q ∈ Q′1, Aq

ϕ (= Aqϕ1

) fin-accepts w1

orthere exists a transition 〈qI2, θ2, F2, Q

′2〉 ∈ ∆2 such that w(0) |= θ2


ϕ (= Aqϕ2

) fin-accepts w1 (definition of Aϕ)

iff Aϕ1 fin-accepts w or Aϕ2 fin-accepts w (Proposition 2.3.15)


iff w |= ϕ1 or w |= ϕ2 (induction hypothesis)

iff w |= (ϕ1 ∨ ϕ2) (semantics of LTL)

(ϕ = (ϕ1 ∧ ϕ2))

Aϕ fin-accepts w



iff there exist transitions 〈qI1, θ1, F1, Q′1〉 ∈ ∆1 and 〈qI2, θ2, F2, Q

′2〉 ∈

∆2 such that w(0) |= (θ1∧θ2) and for all q ∈ Q′1∪Q

′2, Aq

ϕ fin-acceptsw1 (definition of Aϕ)

iff there exists a transition 〈qI1, θ1, F1, Q′1〉 ∈ ∆1 such that w(0) |= θ1


ϕ (= Aqϕ1

) fin-accepts w1

andthere exists a transition 〈qI2, θ2, F2, Q

′2〉 ∈ ∆2 such that w(0) |= θ2


ϕ (= Aqϕ2

) fin-accepts w1

iff Aϕ1 fin-accepts w and Aϕ2 fin-accepts w (Proposition 2.3.15)

iff w |= ϕ1 and w |= ϕ2 (induction hypothesis)

iff w |= (ϕ1 ∧ ϕ2) (semantics of LTL)

(ϕ = (ϕ1 Us ϕ2) or ϕ = (ϕ1 Uw ϕ2))

Aϕ fin-accepts w

iff there exists an index 0 ≤ i < ω such that Aϕ2 fin-accepts wi and forall 0 ≤ j < i, Aϕ1 fin-accepts wj

orϕ = (ϕ1 Uw ϕ2), and for all 0 ≤ i < ω, Aϕ1 fin-accepts wi

(Lemma 3.3.1)

iff there exists an index 0 ≤ i < ω such that wi |= ϕ2 and for all 0 ≤j < i, wj |= ϕ1

orϕ = (ϕ1 Uw ϕ2), and for all 0 ≤ i < ω, wi |= ϕ1 (induction hypothesis)

iff w |= ϕ (semantics of LTL)

(ϕ = (ϕ1 Rs ϕ2) or ϕ = (ϕ1 Rw ϕ2))

Aϕ fin-accepts w

iff A(ϕ2◦(ϕ1∧ϕ2)) fin-accepts w, where ◦ is an Until connective of thesame strength as the main connective of ϕ (definition of Aϕ)

iff there exists an index 0 ≤ i < ω such that A(ϕ1∧ϕ2) fin-accepts wi andfor all 0 ≤ j < i, Aϕ2 fin-accepts wj

or◦ = Uw, and Aϕ2 fin-accepts wi for all 0 ≤ i < ω (Lemma 3.3.1)

iff there exists an index 0 ≤ i < ω such that wi |= (ϕ1 ∧ ϕ2) and for all0 ≤ j < i, wj |= ϕ2

or◦ = Uw, and wi |= ϕ2 for all 0 ≤ i < ω

(case “∧” and the induction hypothesis)


iff w |=(ϕ2 ◦ (ϕ1 ∧ ϕ2)

)(semantics of LTL)

iff w |= ϕ (semantics of LTL)

The result holds by induction for all formulas ϕ ∈ LTLPNF(AP). �

3.4 REVERSE TRANSLATION

In this section we verify that, for any self-loop alternating automaton A overan alphabet Σ with 2n elements for some n ∈ N (i.e., a set that is equipollentto a powerset of some finite set S with n elements), there exists an LTL for-mula ϕ over the atomic propositions S such that for allw ∈ Σω, A fin-acceptsw iff w |= ϕ holds. Together with Theorem 3.3.2, this result establishesthe expressive equivalence between self-loop alternating automata and LTL.Proofs for this result (based on slightly different basic definitions and notionsof acceptance) have previously been presented by Rohde [1997], and Lödingand Thomas [2000]; in this section, we prove the result directly for automatahaving multiple acceptance conditions on transitions instead of states. Addi-tionally, we consider also the complexity of the reverse translation by findingupper bounds for the number of subformulas and temporal subformulas inthe LTL formulas built from self-loop alternating automata via reverse trans-lation.

As noted by Rohde [1997], the expressive equivalence of self-loop alter-nating automata and LTL generalizes to self-loop alternating automata overan arbitrary (finite) nonempty alphabet Σ in the sense that for any self-loopalternating automaton A with alphabet Σ, there exists a finite set S, a one-to-one mapping α : Σ → 2S and an LTL formula ϕ ∈ LTL(S) such thatfor all w ∈ Σω, A fin-accepts w iff

(α(w(i))

)0≤i<ω

|= ϕ holds. It is easy to

define a one-to-one mapping α by taking S to be any finite set with at leastdlog2 |Σ|e elements. The claim then follows by applying the basic correspon-dence between LTL and self-loop alternating automata whose alphabet’s sizeis a power of 2 to the self-loop alternating automaton (over the alphabet 2S)obtained from A by replacing each element of each transition guard of Awith its image under α.

We begin by characterizing in LTL the behavior of a copy of a (subau-tomaton of a) self-loop alternating automaton A = 〈2S, Q,∆, qI ,F〉 along apath in a fin-accepting run of the automaton on some input w ∈ (2S)ω. In-terpreting the path as the description of the stepwise behavior of the copy ofthe automaton, we see (cf. Fig. 2.5, p. 28) that the copy either “stays” in thestate q ∈ Q labeling the first node in the path for a finite number of steps andthen exits the state (without ever entering it again, because A is a self-loopalternating automaton), or remains in the state indefinitely by taking onlyself-loop transitions (i.e., spawning a new copy of itself at every step). Be-cause the run is fin-accepting, the infinite chain formed from these self-loopscorresponds to a fin-accepting branch of the run. Hence, for all acceptanceconditions f ∈ F , the copy of the automaton takes infinitely many self-loops,none of which is an f -transition of A.

To formalize this intuition, we first introduce some notation. Assume thatq is the source state of the ith consecutive edge (labeled with a transition t =


〈q,Γ, F,Q′〉 ∈ ∆) in a chain through the fin-accepting run of A. Because qis the initial state of some subautomaton of A, it follows by Proposition 2.3.15that the guard of t contains the input symbol w(i) ∈ 2S (i.e., w(i) |= θ holdsfor the characteristic Boolean formula θ of Γ), and all subautomata rooted atthe states in Q′ fin-accept wi+1. Suppose that the language accepted by eachsubautomaton rooted at a target state q′ ∈ Q′ \ {q} of t coincides with thelanguage of some LTL formula ϕq′ , i.e., wi+1 |= ϕq′ holds. We thus find that

wi |= µ(〈q, θ, F,Q′〉

)def= (θ ∧

∧

q′∈Q′\{q}

Xϕq′).

Using µ, the implications of a copy of A (that is in state q ∈ Q) taking aself-loop, a non-self-loop, or a self-loop that is not an f -transition of A cannow be written as the LTL formulas

ψself-loop(q)def=

∨

〈q,θ,F,Q′〉∈∆,

q∈Q′

µ(〈q, θ, F,Q′〉

), ψnon-self-loop(q)

def=

∨

〈q,θ,F,Q′〉∈∆,

q /∈Q′

µ(〈q, θ, F,Q′〉

)

andψavoid(q, f)

def=

∨

〈q,θ,F,Q′〉∈∆,

q∈Q′, f /∈F

µ(〈q, θ, F,Q′〉

).

We can now give a characterization of the above description of the loopingbehavior of A in LTL. Assuming the existence of LTL formulas correspond-ing to the successors of the state q of the alternating automaton A (excludingq itself), we can apply the following lemma to find an LTL formula, thelanguage of which coincides with the language fin-accepted by the subau-tomaton Aq.

Lemma 3.4.1 Let A = 〈Σ, Q,∆, qI ,F〉 be a self-loop alternating automatonover the alphabet Σ = 2S for some finite set S, and let q ∈ Q. Assume that forall successors q′ of q in A, excluding q itself, there exists an LTL formula ϕq′such that for all w ∈ Σω, the subautomaton (Aq)q

′fin-accepts w iff w |= ϕq′

holds. For all w ∈ Σω, Aq fin-accepts w iff w satisfies the formula

ϕqdef=

((ψself-loop(q) Us ψnon-self-loop(q)

)∨ G

(ψself-loop(q) ∧

∧

f∈F

Fψavoid(q, f)))

.

Proof: (Only if) Let G = 〈V,E, L〉 be a fin-accepting run of Aq on some

w ∈ Σω. By Proposition 2.3.7, there exists an index 0 ≤ i ≤ ω and a chainof edges (ej)0≤j<i+1, ej = 〈vj , V

′j 〉 ∈ E ∩ (Vj × 2Vj+1), such that L(ej) is an

initial self-loop of Aq for all 0 ≤ j < i, and if i < ω, then L(ei) is an initialtransition of Aq that is not a self-loop. It is clear that L(vj) = q holds for all0 ≤ j < i+ 1.

Let 0 ≤ j < i + 1. Because G is a run, the edge ej = 〈vj, V′j 〉 is labeled

with a transition tj = 〈q, θj, Fj , Q′j〉 ∈ ∆ such that w(j) |= θj and Q′

j =L(V ′

j ) hold. Because θj is a Boolean formula, it follows that wj |= θj holds,

and because G is fin-accepting, (Aq)q′fin-accepts wj+1 for all q′ ∈ Q′

j byProposition 2.3.9. By assumption, this implies that wj+1 |= ϕq′ holds for all


q′ ∈ Q′j \{q}. Therefore wj |=

(θj ∧

∧q′∈Q′

j\{q}Xϕq′

), i.e., wj |= µ(tj) holds

by the semantics of LTL.Because L(ej) is an initial self-loop of Aq for all 0 ≤ j < i, it follows from

the definition of ψself-loop(q) that wj |= ψself-loop(q) holds for all 0 ≤ j < i. Ifi < ω, then, because L(ei) is an initial transition of Aq that is not a self-loop,also wi |= ψnon-self-loop(q) holds. But then w |=

(ψself-loop(q) Us ψnon-self-loop(q)

)

holds by the semantics of LTL, which implies that w |= ϕq.

If i = ω, then the chain βdef= (ej)0≤j<i is an infinite branch, all edges of

which are labeled with initial self-loops of Aq. As seen above, wj |= µ(tj)and wj |= ψself-loop(q) hold for all 0 ≤ j < ω. Fix 0 ≤ j < ω, and let f ∈ F .Because G is fin-accepting, fin(β) = ∅, and thus there exists an index j ≤k < ω such that L(ek) is not an f -transition of A. Because wk |= µ(tk) holds,and L(ek) is an initial self-loop of Aq, it follows that wk |= ψavoid(q, f) holds.But then, because k ≥ j, wj |= Fψavoid(q, f) holds, and because f is arbitraryand wj |= ψself-loop(q), it follows that wj |=

(ψself-loop(q) ∧

∧f∈F Fψavoid(q, f)

)

holds. Since j is arbitrary, we conclude that w |= ϕq holds also in this case.

(If) Assume that w |= ϕq holds. Then w satisfies at least one of the formu-

las(ψself-loop(q) Us ψnon-self-loop(q)

)and G

(ψself-loop(q)∧


), and

there necessarily exists a maximal index 0 ≤ i ≤ ω such thatwj |= ψself-loop(q)and wj 6|= ψnon-self-loop(q) hold for all 0 ≤ j < i, and if i < ω, thenwi |= ψnon-self-loop(q). From the definition of ψself-loop(q) it follows that the

set of initial self-loop transitions Tjdef=

{〈q, θ, F,Q′〉 ∈ ∆ q ∈ Q′, wj |=

µ(〈q, θ, F,Q′〉

)}is nonempty for all 0 ≤ j < i. Our goal is to choose self-

loops tjdef= 〈q, θj , Fj, Q

′j〉 ∈ Tj for all 0 ≤ j < i (and if i < ω, an additional

non-self-loop transition tidef= 〈q, θi, Fi, Q

′i〉 ∈ ∆ such that wi |= µ(ti) holds;

ti exists because wi |= ψnon-self-loop(q) holds in this case) and construct a fin-accepting semi-run G of Aq on w by forming a (possibly infinite) chain ofedges labeled with these transitions. For this purpose, we fix a total order ≺on the set of acceptance conditions F ; because F is finite, every nonemptysubset of F then contains a minimal element under ≺.

(Definition of the transitions tj) Let t0 ∈ T0 be any element of T0. As-sume that the transitions tj = 〈q, θj, Fj, Q

′j〉 have already been defined

for all 0 ≤ j < k for some 1 ≤ k < i. Let αkdef= min

({k − 1} ∪{

0 ≤ ` < k⋂`≤j≤k−1 Fj 6= ∅

})be the minimal index strictly less than

k such that all transitions tαk, tαk+1, . . . , tk−1 share a common acceptance

condition in F if such a condition exists (and let αkdef= k − 1 otherwise).

Let Fkdef=

⋂αk≤j≤k−1Fj be the set of all acceptance conditions shared by

these transitions, and define fkdef= min≺ Fk for every nonempty Fk. Now, let

tkdef= 〈q, θk, Fk, Q

′k〉 be any transition t = 〈q, θ, F,Q′〉 ∈ Tk such that fk /∈ F

if Fk 6= ∅ and such a transition exists in Tk; otherwise let tk be any transitionin the set Tk.

(Definition of G) Without loss of generality, we may write Q′j \ {q} as a

finite set of distinct states Q′j = {qj,1, qj,2, . . . , qj,nj

} for some 0 ≤ nj < ωand all 0 ≤ j < i+ 1. Let G = 〈V,E, L〉, where

• V0def= {v0}, Vj+1

def= {vj+1, vj,1, . . . , vj,nj

} for all 0 ≤ j < i, and if

i < ω, let Vi+1def= {vi,1, . . . , vi,ni

} and Vjdef= ∅ for all i+ 1 < j < ω;


• Edef=

⋃0≤j<i+1

{〈vj , Vj+1〉

};

• L(vj)def= q, L(vj,k)

def= qj,k, and L

(〈vj , Vj+1〉

)def= tj for all 0 ≤ j < i+1

and 1 ≤ k ≤ nj.

(The structure of the graph G is identical to the graph defined in the proofof the “If” direction of Lemma 3.3.1; see also Fig. 3.5.)

(G is a semi-run of Aq on w) We check that G satisfies all constraints re-quired of a semi-run of Aq on w.

(Partitioning) V0 = {v0}, and V is partitioned into finite disjoint levels(with edges between successive levels of G) by construction.

(Causality) Let v ∈ Vj for some 0 ≤ j < ω. Then v either has nooutgoing edges, or v = vj and j < i + 1. In this case v has the uniqueoutgoing edge e = 〈vj, Vj+1〉 ∈ E. On the other hand, because the targetnode set of the only edge starting from a node at level 0 ≤ j < i+1 coversall nodes in Vj+1, it is clear that each node in Vj for some 1 ≤ j < ω is asuccessor of some node at level j − 1.

(Consistency of L) Obviously, L(v0) = q holds. Let e ∈ E. By con-

struction, e = 〈vj, Vj+1〉 holds for some 0 ≤ j < i+ 1. Since wj |= µ(tj)holds (i.e., wj |=

(θj ∧

∧q′∈Q′

j\{q}Xϕq′

)holds), w(j) |= θj holds, and

because L(e) = tj = 〈q, θj, Fj , Q′j〉 =

⟨L(vj), θj , Fj, L(Vj+1)

⟩holds, the

labeling L is consistent.

(G is fin-accepting) We check that G is fin-accepting. If i < ω (i.e., ifw |= (ψself-loop(q) Us ψnon-self-loop(q)) holds), then the edge set E is finite. Thisimplies that B(G) = ∅, and thus G is trivially a fin-accepting semi-run of Aq

on w. Otherwise B(G) contains a unique infinite branch βdef= (ej)0≤j<ω,

where ej = 〈vj, Vj+1〉 for all 0 ≤ j < ω.Assume that β is not fin-accepting. Therefore, there exists a minimal index

0 ≤ k < ω such that all transitions L(ej) = tj = 〈q, θj, Fj, Q′j〉 share a

nonempty set of acceptance conditions from F for all k ≤ j < ω. Letfmin be the ≺-minimal acceptance condition among the maximal set of suchconditions. Because k is minimal, there exists another index k ≤ k′ < ωsuch that fmin is also the minimal element of Fj for all k′ < j < ω.

Because i = ω, w 6|=(ψself-loop(q) Us ψnon-self-loop(q)

). Therefore it is nec-

essarily the case that w |= G(ψself-loop(q) ∧


)holds, and

thus there exists an index k′ < ` < ω such that w` |= ψavoid(q, fmin) =∨〈q,θ,F,Q′〉∈∆

q∈Q′, fmin /∈F

µ(〈q, θ, F,Q′〉

). It now follows that T` has a nonempty subset

T of transitions, none of which includes fmin in its acceptance conditions.Because fmin is the minimal element of F`, it follows that t` was chosen fromthe set T . But then fmin cannot be one of the acceptance conditions sharedby all transitions tj for all k ≤ j < ω, which is a contradiction. It follows thatβ is fin-accepting, and G is a fin-accepting semi-run of Aq on w.

(G can be extended into a fin-accepting run of Aq on w) Let v ∈ V be anode with no outgoing edges in G. Then v = vj,k ∈ Vj+1 holds for some0 ≤ j < i + 1 and 1 ≤ k ≤ nj such that L(v) = qj,k ∈ Q′

j \ {q}. Becausewj |= µ(tj) holds, that is, wj |=

(θj ∧

∧q′∈Q′

j\{q}Xϕq′

)holds, it follows that


wj+1 |= ϕq′ for all q′ ∈ Q′j \ {q}. In particular, (Aq)qj,k now has a fin-

accepting run on wj+1 by assumption. Since v is an arbitrary node of G withno outgoing edges, it follows that G can be extended to a full fin-acceptingrun of Aq on w by Proposition 2.3.14, and thus Aq fin-accepts w. �

We can now establish the main result of this section by a straightfor-ward inductive proof on the structure of self-loop alternating automata, usingLemma 3.4.1 for proving the induction step.

Theorem 3.4.2 Let A = 〈Σ, Q,∆, qI ,F〉 be a self-loop alternating automa-ton over the alphabet Σ = 2S for some finite set S. There exists an LTLformula ϕ over the atomic propositions S such that for all w ∈ Σω, A fin-accepts w iff w |= ϕ holds.

Proof: Because A is a self-loop alternating automaton, there exists a functionρ : Q → N such that for all transitions 〈q,Γ, F,Q′〉 ∈ ∆, ρ(q′) < ρ(q) holdsfor all q′ ∈ Q′ \ {q}. In particular, as seen in the proof of Proposition 2.3.16,ρ(q) can be defined as

ρ(q)def= max

{|x| x is a simple path from q to a state q′ ∈ Q0

}

where Q0def=

{q ∈ Q for all 〈q,Γ, F,Q′〉 ∈ ∆, Q′ ⊆ {q}

}. We proceed

by induction on ρ(q). If ρ(q) = 1, then the result follows immediately forthe subautomaton Aq by Lemma 3.4.1, since q has no successors differentfrom itself (and thus the assumption needed in Lemma 3.4.1 holds trivially).Assume that the result holds for all subautomata Aq, where q ∈ Q satisfiesρ(q) ≤ i for some 1 ≤ i < ω. Let q ∈ Q be a state for which ρ(q) =i + 1. Then, ρ(q′) ≤ i holds for all successors of q excluding q itself, andthe result follows again for the subautomaton Aq by Lemma 3.4.1 and theinduction hypothesis. By induction, we conclude that the result holds alsofor the subautomaton AqI , because ρ(qI) is finite, and therefore also for theautomaton A, because A and AqI are fin-equivalent (Proposition 2.3.12). �

The proof of Theorem 3.4.2 gives an inductive procedure for finding anLTL formula that corresponds to a given self-loop alternating automaton byrepeatedly using the formula given in Lemma 3.4.1 as a pattern for defin-ing LTL formulas corresponding to states with increasing values of ρ. Weillustrate the reverse translation with the following example.

Example 3.4.3 Consider again the self-loop alternating automaton workingon the alphabet Σ = {a, b, c} from Ex. 2.3.21 (repeated in Fig. 3.6 with thevalues of the function ρ used in Theorem 3.4.2). Because the alphabet Σconsists of three distinct symbols, the automaton can be translated into an

LTL formula over two atomic propositions APdef= {p1, p2} by defining (as

described in the beginning of this section) a mapping α : Σ → 2AP with

(for example) α(a)def= {p1}, α(b)

def= {p2} and α(c)

def= {p1, p2}. Under this

mapping, the guards of transitions in the automaton can be represented with


q1

q2 q3 q4

q5 q6

q7 q8 ρ = 1

ρ = 2

ρ = 3

ρ = 4

{a}

{a}

{a}

{a}

{a}

{a}

{b}

{b}

{b}

{b}{b}

{c}

{c}

{c}

{a, c} {b, c}

{b, c}

{a, b, c}

Fig. 3.6: The self-loop alternating automaton of Fig. 2.8 with the values of the func-tion ρ displayed

the characteristic Boolean formulas

θ{a}def= (p1 ∧ ¬p2),

θ{b}def= (¬p1 ∧ p2),

θ{c}def= (p1 ∧ p2),

θ{a,c}def=

((p1 ∧ ¬p2) ∨ (p1 ∧ p2)

)≡ p1,

θ{b,c}def=

((¬p1 ∧ p2) ∨ (p1 ∧ p2)

)≡ p2, and

θ{a,b,c}def=

((p1 ∧ ¬p2) ∨

((¬p1 ∧ p2) ∨ (p1 ∧ p2)

))≡ (p1 ∨ p2)

In the following, we shall use the above θ formulas instead of writing thecharacteristic Boolean formulas explicitly to simplify the notation. We shallalso omit parentheses from formulas whenever it is possible to do so withoutsemantic ambiguity.

The reverse translation can be started from any state q with ρ(q) = 1, forexample, the state q7. For this state, we define

ψself-loop(q7)def=

∨〈q7,θ,F,Q′〉∈∆,

q7∈Q′

µ(〈q7, θ, F,Q

′〉)

= µ(〈q7, θ{a}, {◦}, {q7}〉

)∨ µ

(〈q7, θ{b}, {•}, {q7}〉

)

∨ µ(〈q7, θ{c}, {•, ◦}, {q7}〉

)

=(θ{a} ∧

∧q′∈∅ Xϕq′

)∨

(θ{b} ∧


)

∨(θ{c} ∧


)

≡ (θ{a} ∧ >) ∨ (θ{b} ∧ >) ∨ (θ{c} ∧>)

≡ θ{a} ∨ θ{b} ∨ θ{c},

ψnon-self-loop(q7)def=

∨〈q7,θ,F,Q′〉∈∆,

q7 /∈Q′

µ(〈q7, θ, F,Q

′〉)≡ ⊥,

ψavoid(q7, •)def=

∨〈q7,θ,F,Q′〉∈∆,

q7∈Q′, • /∈F

µ(〈q7, θ, F,Q

′〉)

= µ(〈q7, θ{a}, {◦}, {q7}〉

)

= θ{a} ∧∧q′∈∅ Xϕq′

≡ θ{a}, and


Table 3.5: ψself-loop-, ψnon-self-loop- and ψavoid-formulas built during reverse translation

State q ψself-loop(q) ψnon-self-loop(q) ψavoid(q, •) ψavoid(q, ◦)

q7 θ{a} ∨ θ{b} ∨ θ{c} ⊥ θ{a} θ{b}

q8 θ{a,b,c} ⊥ θ{a,b,c} θ{a,b,c}

q5 θ{b,c} θ{a} ∧ Xϕq7 ∧ Xϕq8 θ{b,c} θ{b,c}

q6 θ{a} ∨ θ{c} θ{b} ∧ Xϕq8 ⊥ θ{c}

q2 θ{a,c} ∧ Xϕq5 θ{b} ∧ Xϕq6 θ{a,c} ∧ Xϕq5 ⊥q3 ⊥ (θ{a}∧Xϕq5∧Xϕq6 ) ∨ (θ{b}∧Xϕq7 ) ⊥ ⊥q4 ⊥ (θ{a} ∧ Xϕq6 ) ∨ θ{b,c} ⊥ ⊥q1 (θ{b}∧Xϕq3 ) ∨ θ{c} θ{a} ∧ Xϕq2 ∧ Xϕq4 θ{c} θ{b}∧Xϕq3

ψavoid(q7, ◦)def=

∨〈q7,θ,F,Q′〉∈∆,

q7∈Q′, ◦ /∈F

µ(〈q7, θ, F,Q

′〉)

= µ(〈q7, θ{b}, {•}, {q7}〉

)

= θ{b} ∧∧q′∈∅ Xϕq′

≡ θ{b}.

Applying Lemma 3.4.1, we get the formula

ϕq7def=

(ψself-loop(q7)Us ψnon-self-loop(q7)

)

∨ G(ψself-loop(q7) ∧

∧f∈{•,◦} Fψavoid(q7, f)

)

≡((θ{a} ∨ θ{b} ∨ θ{c})Us ⊥

)∨ G

((θ{a} ∨ θ{b} ∨ θ{c}) ∧ Fθ{a} ∧ Fθ{b}

)

≡ ⊥ ∨ G((θ{a} ∨ θ{b} ∨ θ{c}) ∧ Fθ{a} ∧ Fθ{b}

)

≡ G((θ{a} ∨ θ{b} ∨ θ{c}) ∧ Fθ{a} ∧ Fθ{b}

).

Table 3.5 and Table 3.6 show (simplified) formulas built by repeating thereverse translation in the states q8, q5, q6, q2, q3, q4 and q1 (where the order isdetermined by increasing values of ρ). No (simplified) formula correspond-ing to a transient state of the automaton has a top-level subformula havingG as its main connective. By the discussion at the beginning of this sec-tion and Theorem 3.4.2, the automaton fin-accepts a word w ∈ {a, b, c}ω iff(α(w(i))

)0≤i<ω

|= ϕq1 holds. �

It is easy to see from the previous example that the length of the for-mulas obtained by repeated applications of Lemma 3.4.1 grows rapidly asthe value of ρ increases (in the example, we did not even try to write theϕq-formulas in explicit form for states with ρ(q) > 1). There is neverthe-less some sharing between the subformulas: in the remainder of this sec-

Table 3.6: ϕq-formulas built during reverse translation

State q ϕq

q7 G`(θ{a} ∨ θ{b} ∨ θ{c}) ∧ Fθ{a} ∧ Fθ{b}

´

q8 Gθ{a,b,c}

q5`θ{b,c} Us (θ{a} ∧ Xϕq7 ∧ Xϕq8 )

´∨ Gθ{b,c}

q6 (θ{a} ∨ θ{c})Us (θ{b} ∧ Xϕq8 )q2 (θ{a,c} ∧ Xϕq5 )Us (θ{b} ∧ Xϕq6 )q3 (θ{a} ∧ Xϕq5 ∧ Xϕq6 ) ∨ (θ{b} ∧ Xϕq7 )q4 (θ{a} ∧ Xϕq6 ) ∨ θ{b,c}

q1`((θ{b} ∧ Xϕq3 ) ∨ θ{c})Us (θ{a} ∧ Xϕq2 ∧ Xϕq4 )

´

∨ G`((θ{b} ∧ Xϕq3 ) ∨ θ{c}) ∧ Fθ{c} ∧ F(θ{b} ∧ Xϕq3 )

´


tion, we shall investigate the behavior of the simple reverse translation pro-cedure based on Lemma 3.4.1 by determining upper bounds for the numberof subformulas and pure temporal subformulas in a formula ϕ obtained byapplying the procedure to a self-loop alternating automaton A. In particu-lar, the upper bound for the number of pure temporal subformulas can beused as a coarse measure for the efficiency of the reverse translation: becausethe formula ϕ could be translated back into an automaton having at most1 + |Temp(ϕ)| states (Corollary 3.2.2), |Temp(ϕ)| should ideally not exceedthe number of states |Q| in A. However, because the formula pattern de-fined in Lemma 3.4.1 includes explicit quantification over the acceptanceconditions F of the automaton A, the upper bound for the number of puretemporal subformulas will actually depend on the product of |Q| and |F|.Even worse, the upper bound for the number of subformulas in ϕ dependsexplicitly also on the number of transitions in A (which may be exponentialin |Q|), and therefore reverse translation using the simple strategy based onthe repeated application of Lemma 3.4.1 is unlikely to be feasible in practiceexcept for very small problem instances.

Proposition 3.4.4 Let A = 〈Σ, Q,∆, qI ,F〉 be a self-loop alternating au-tomaton with |Q| 6= ∅ and |∆| 6= ∅ over the alphabet Σ = 2S for some finite

set S, and let ϕdef= ϕqI be the LTL formula obtained from A by repeated

applications of Lemma 3.4.1 to states in A as described in Theorem 3.4.2.

Let cdef= max

{|Sub(θ)| : 〈q, θ, F,Q′〉 ∈ ∆

}≥ 1 be the maximum number

of (syntactically distinct) subformulas in any Boolean formula occurring asthe guard of a transition in ∆. Then,

(a) |Sub(ϕ)| ∈ O((c+ |F|) · |Q| · |∆|

), and

(b) |Temp(ϕ)| ∈ O((1 + |F|) · |Q|

).

Proof: (a) Clearly, |Sub(ϕ)| cannot exceed the number of subformulas cre-

ated in repeated applications of Lemma 3.4.1. We find an upper bound forthe number of these formulas. It follows directly from Theorem 3.4.2 and thedefinitions of µ, ϕq and the various ψ formulas that a subformula ϕ′ built inreverse translation will have one of the following forms:

(1) ϕ′ = ϕq for some q ∈ Q; (Theorem 3.4.2)

(2) ϕ′ = Xϕq for some q ∈ Q; (definition of µ)

(3) ϕ′ ∈ Sub(∧

q′∈Q′\{q} Xϕq′)\

⋃q′∈Q Sub(Xϕq′) for some transition

〈q, θ, F,Q′〉 ∈ ∆; (—)

(4) ϕ′ ∈ Sub(θ) for some transition 〈q, θ, F,Q′〉 ∈ ∆ (—)

(5) ϕ′ = µ(t) for some transition t ∈ ∆ (definitions of the ψ formulas)

(6) ϕ′ ∈ Sub(ψself-loop(q)

)\

⋃t∈∆ Sub

(µ(t)

)for some q ∈ Q; (def. of ϕq)

(7) ϕ′ ∈ Sub(ψnon-self-loop(q)

)\

⋃t∈∆ Sub

(µ(t)

)for some q ∈ Q; (—)

(8) ϕ′ ∈ Sub(ψavoid(q, f)

)\

⋃t∈∆ Sub

(µ(t)

)for some q ∈ Q and f ∈ F ;

(—)

(9) ϕ′ = Fψavoid(q, f) for some q ∈ Q and f ∈ F ; (—)

(10) ϕ′ ∈ Sub( ∧

f∈F Fψavoid(q, f))\

⋃q′∈Q

⋃f ′∈F Sub

(Fψavoid(q

′, f ′))

forsome q ∈ Q; (—)

(11) ϕ′ =(ψself-loop(q) ∧




(12) ϕ′ = G(ψself-loop(q) ∧



(13) or ϕ′ =(ψself-loop(q) Us ψnon-self-loop(q)

)for some q ∈ Q. (—)

The total number of subformulas of type (1), (2), (11), (12) and (13) isclearly less than or equal to 5 · |Q|. Similarly, there are at most |∆| subfor-mulas of type (5) and at most c · |∆| subformulas of type (4) (each guard of atransition in A has at most c syntactically distinct subformulas). The numberof subformulas of type (9) is obviously bounded by |Q| · |F|.

It is straightforward to check that any formula of the form∧ϕ∈Φ ϕ or∨

ϕ∈Φ ϕ for a finite Φ ⊆ LTL(AP) has no more than |Φ| subformulas notappearing as a subformula of any ϕ ∈ Φ, independently of the way in whichthe conjunction or the disjunction is parenthesized. Therefore, the num-ber of subformulas of type (3) or (10) cannot exceed |Q| · |∆| and |Q| · |F|,respectively.

Finally, it is easy to see that, for all q ∈ Q and f ∈ F , ψself-loop(q),

ψnon-self-loop(q) or ψavoid(q, f) is of the form∨t∈∆′ µ(t) for some ∆′ ⊆ ∆q

def=(

{q}× 2Σ × 2F × 2Q)∩∆. Clearly, Sub

(∨t∈∆′ µ(t)

)\

⋃t∈∆ Sub

(µ(t)

)≤

Sub(∨

t∈∆qµ(t)

)≤ |∆q| holds (for any q ∈ Q) by the above discussion.

It follows that at most∑

q∈Q |∆q| = |∆| subformulas of type (6) or (7) and∑q∈Q |∆q| · |F| = |∆| · |F| subformulas of type (8) are created in reverse

translation.Adding the numbers of the subformulas, we find that |Sub(ϕqI )| ≤

(5 +

2 · |F|) · |Q| + (3 + c+ |F|) · |∆| + |Q| · |∆| ∈ O((c+ |F|) · |Q| · |∆|

).

(b) By the classification of subformulas of ϕ in (a), all pure temporal sub-

formulas built in reverse translation are of the form (2), (9), (12) or (13).Therefore, |Temp(ϕ)| ≤

(3 + |F|

)· |Q| ∈ O

((1 + |F|) · |Q|

). �


4 NONDETERMINIZATION OF SELF-LOOP ALTERNATING AUTO-MATA

In this chapter we study the translation of self-loop alternating automata intonondeterministic automata. Because nondeterministic automata are equallyexpressive to alternating automata on both finite [Kozen 1976; Chandra andStockmeyer 1976; Brzozowski and Leiss 1980; Chandra et al. 1981] and infi-nite inputs (under many notions of acceptance, using the same mode of ac-ceptance for both types of automata) [Miyano and Hayashi 1984a,b; Lindsay1988; Muller and Schupp 1995], checking whether an alternating automatonrecognizes the empty language can be reduced to the corresponding questionon a nondeterministic automaton that is equivalent to the alternating one. Inthe worst case, however, the number of states in the smallest such nondeter-ministic automaton is exponential in the number of states in the alternatingautomaton. Nevertheless, the language emptiness problem of alternating au-tomata is usually solved in practice via some form of (explicit or implicit)nondeterminization.

In general, the key to translating an alternating automaton into a finitenondeterministic one is to find a finite encoding for the information that isneeded to distinguish accepting branches from non-accepting ones in a runof the automaton. It is well-known that this can be done under very generalnotions of acceptance by merging branches together in a systematic way tokeep the number of active copies at each level of the run of the automatonbounded. We begin this chapter by reviewing this process of run uniformiza-tion for self-loop alternating automata working in fin-acceptance mode inSect. 4.1. The uniformization of runs leads to a construction for translatingself-loop alternating automata working in fin-acceptance mode into nonde-terministic automata working in the same mode (Sect. 4.2). This construc-tion is very similar to the one previously proposed by Gastin and Oddoux[2001]. Because of our more general notion of acceptance, however, a trans-lation procedure (from LTL into nondeterministic automata) based on theconstruction has inferior performance to Gastin and Oddoux’s constructiondue to its greater worst-case impact on the number of new acceptance con-ditions required for the nondeterministic automaton. We show in Sect. 4.3that there is nevertheless no need for the introduction of new acceptanceconditions during nondeterminization for a special class of automata whichhave accepting runs that satisfy certain restrictions on the occurrence of tran-sitions associated with acceptance conditions of the automaton. It occursthat all automata obtained from the translation presented in Ch. 3 triviallybelong to this class of automata.

Of course, there are also cases in which an alternating automaton canbe translated into a nondeterministic one without an exponential blow-up inthe number of states. In Sect. 4.6, we review a simple syntactic subclass ofLTL that translates directly into nondeterministic automata using the rulespresented in Sect. 3.1. Consequently, any formula in this subclass can betranslated into a nondeterministic automaton with a linear number of statesin the number of pure temporal subformulas in the formula. This subclassof LTL was previously considered by Schneider [1999] in the context of sym-

68 4. NONDETERMINIZATION OF SELF-LOOP ALTERNATING AUTOMATA

bolic translation algorithms between LTL and nondeterministic automata.We show that the subclass is very closely related also to the syntactic subclassLTLdet introduced by Maidl [2000a]. We also observe that deciding formulasatisfiability in this restricted subset of LTL is NP-complete.

4.1 UNIFORM RUNS

In this section, we review a classic technical result that will allow us to restrictthe search for an accepting run for a self-loop alternating automaton into arestricted subset of runs in which the number of nodes in each level of arun remains bounded by the number of states in the automaton. This resultthen leads to a construction for translating self-loop alternating automata intonondeterministic automata (to be discussed in Sect. 4.2).

Merging Run Branches

The only restriction on the size of levels in a run of an alternating automatonis that each level of the run should be finite. The number of nodes in a levelof a run may nevertheless grow without any finite bound as the automatonkeeps spawning new copies of its subautomata when working on its input.Because the automaton has only finitely many states, however, any level withmore nodes than there are states in the automaton represents a situation inwhich some active copies of the automaton are in the same state. If therun is accepting, then all subgraphs rooted at identically labeled nodes atthe level are accepting runs of the same subautomaton on the remaininginput (cf. Proposition 2.3.9). A simple idea to reduce the size of the levelis to force all copies in the same state to behave identically on the rest ofthe input by choosing a representative node among the identically labelednodes and redirecting each edge that covers any of the nonrepresentativenodes as a target node to cover the representative node instead, cutting off thesubgraphs originally rooted at the other nodes. Obviously, this transformationcauses some branches in the original run to be merged. Repeating the sameconsideration for each collection of identically labeled nodes at the levelwould then allow reducing the size of the level to at most as many nodes asthere are states in the automaton.

In general, we call a systematic method for merging branches to keep alevel of a run finitely bounded a uniformization strategy. When applied tothe possibly infinite number of levels in the run, however, a uniformizationstrategy should also preserve the acceptance and non-acceptance of runs inorder be useful in considerations on the existence of accepting runs for theautomaton. Instead of simply merging branches at their identically labelednodes, the decision on whether the merging of branches is permissible mayin the general case need to be based on additional information (that is, amemory) about the past evolution of the individual branches. Despite thepossibly unbounded growth in the number of levels that precede anotherlevel in a run, the information needed for uniformization can be shown tobe representable under very general notions of acceptance using only a fi-nite amount of memory by appealing to the “forgetful determinacy” resultsof Gurevich and Harrington [1982] (see [Lindsay 1988; Emerson and Jutla

4. NONDETERMINIZATION OF SELF-LOOP ALTERNATING AUTOMATA 69

1991; Muller and Schupp 1995]). For example, in the case of automata witha single inf-acceptance condition, this information can be thought of as be-ing annotated directly in the label of each node in the run to make brancheswhich have different memories distinguishable (see, for example, [Isli 1994,1996]).1 Ultimately, the finiteness of the memory needed for uniformizationwill then allow the alternating automaton to be translated into a nondeter-ministic one which “implements” the uniformization strategy.

As will be shown below, however, no branches ending in the same stateneed ever be distinguished in runs of self-loop alternating automata with inf-or fin-acceptance, since—similarly to weak [Muller et al. 1986, 1992] or,indeed, very weak [Rohde 1997] automata—the acceptance of an infinitebranch in a run of such an automaton is determined by the branch’s conver-gence properties (which, intuitively, do not depend on the past). Therefore,we can use an explicit run-based definition of uniformity. (Instead of rea-soning directly about runs of automata, uniformization results are usuallypresented in a game-theoretic setting by arguing about the existence of finitememory winning strategies for infinite acceptance games played on alternat-ing automata. We refer the reader to the article by Muller and Schupp [1995]for a general methodology for constructing such strategies under a variety ofnotions of acceptance.)

Uniform Runs for Self-loop AutomataFormally, we call a run G = 〈V,E, L〉 (where V is partitioned into finitedisjoint levels V =

⋃0≤i<ω Vi as usual) of an alternating automaton A =

〈Σ, Q,∆, qI ,F〉 uniform iff, for all 0 ≤ i < ω, L(v) 6= L(v′) holds for allv, v′ ∈ Vi, v 6= v′. (Because L is consistent, then obviously L(v), L(v′) ∈ Qholds, and it follows that the size of each level of G is bounded, i.e., |Vi| ≤|Q| holds.) We say that an alternating automaton A has uniform inf- (resp.fin-)accepting runs iff it has a uniform inf- (fin-)accepting run on all wordsin its language.

Intuitively, an alternating automaton with uniform inf- (fin-)acceptingruns is able to accept all words in its language without spawning more thanone copy of any of its subautomata at any step when working on an input be-longing to the language. Of course, the exact set of subautomata to spawn ata particular step is not necessarily unique due to the possibility of combininginitial transitions of the currently active subautomata in several consistentways, and some of the combinations may fail to give rise to an acceptingrun for the automaton. Nevertheless, the automaton always has at least one“successful” way to choose the subautomata to spawn at each step wheneverthe input given for the automaton belongs to the language of the automa-ton. On the other hand, no such way exists if the input does not belong tothis language. This intuition, which is easily seen to apply also to nondeter-ministic automata and, in fact, all alternating automata with no acceptanceconditions, is made formal below.

Proposition 4.1.1 Let A = 〈Σ, Q,∆, qI ,F〉 be a nondeterministic automa-ton, a self-loop alternating automaton, or an alternating automaton with

1In our graph-based definition of runs, this may necessitate duplicating some nodes inthe run to ensure that every node will be uniquely labeled.


F = ∅. For all w ∈ Σω, A fin-accepts w iff A has a uniform fin-acceptingrun on w.

Proof: (Only if) Let G = 〈V,E, L〉 be a fin-accepting run of A on w. If

A is nondeterministic, then, because every transition of A has exactly onetarget state, all branches in G are infinite due to forward causality and theconsistency of L. Let

(〈vi, V

′′i 〉

)0≤i<ω

∈ B(G) be an infinite branch in G

(where 〈vi, V′′i 〉 ∈ E ∩ (Vi × 2Vi+1) and vi+1 ∈ V ′′

i hold for all 0 ≤ i <

ω). It is easy to check that the graph G′ = 〈V ′, E ′, L′〉, where V ′i

def= {vi},

L′(vi)def= L(vi) (0 ≤ i < ω), E ′ def

=⋃

0≤i<ω

{〈vi, V

′i+1〉

}and L′

(〈vi, V

′i+1〉

)def=

L(〈vi, V

′′i 〉

)(0 ≤ i < ω) is a uniform run of A on w (to show that L′ is

consistent, observe that all nodes in V ′′i have the same label in G for all

0 ≤ i < ω, because A is nondeterministic). Obviously, G′ contains theunique infinite branch

(〈vi, V

′i+1〉

)0≤i<ω

; because fin((〈vi, V

′i+1〉)0≤i<ω

)=

fin((〈vi, V

′′i 〉)0≤i<ω

)= ∅ holds, G′ is fin-accepting.

If A is an alternating automaton, we apply a uniformization strategy to Gto define a uniform fin-accepting run G′ = 〈V ′, E ′, L′〉 of A on w. Intu-itively, we choose for each level of G a set of transitions (labeling a subsetof edges starting from the level) and define the next level of G′ as a set ofrepresentative nodes for each distinct state of A that is a target state of one ofthese transitions. These representatives then guide the selection of anotherset of transitions.

Clearly, forming each level of G′ from nodes labeled with distinct states ofA already guarantees that the condition that characterizes uniform runs is sat-isfied. However, the requirement that G′ should be a fin-accepting run of Arestricts the choice of transitions used for defining the successive levels of G′.Namely, we have to ensure that the collection of levels thus defined does notcontain an infinite branch that violates the fin-acceptance condition. Moreprecisely, these levels should not include an infinite chain of edges labeledwith transitions of A that share an acceptance condition in F .

(Uniformization strategy and definition of G′) We now give the formal in-

ductive definition ofG′. Let V ′0

def= {v′0}, and let L′(v′0)

def= qI . We assume that

the acceptance conditions in the finite set F are totally ordered by a relation≺ ⊆ F × F . In addition to defining the levels V ′

i , we shall also define afunction Fi : Q → 2F for all 0 ≤ i < ω; intuitively, f ∈ Fi(q) shall hold forsome acceptance condition f ∈ F only if the most recently defined levels ofG′ include a nonempty chain of edges labeled with self-loops starting fromthe state q, all of which have the condition f in their acceptance conditions.

Let F0(q)def= ∅ for all q ∈ Q. It is clear that each nonempty Fi(q) contains a

≺-minimal element.Let Ti : Q → 2∆ (for each level 0 ≤ i < ω of G) be a function which

collects the transitions of A that label the edges starting from a node labeledwith the state q at level i of G; formally,

Ti(q)def=

{L(〈v, V ′〉

)∈ ∆ ∃〈v, V ′〉 ∈ E ∩ (Vi × 2Vi+1) : L(v) = q

}.

(Because G is a run, G satisfies the forward causality requirement, and thusTi(q) 6= ∅ holds for all 0 ≤ i < ω and q ∈ L(Vi).) We divide Ti(q) further


into three pairwise disjoint (possibly empty) partitions Ti,1(q), Ti,2(q) andTi,3(q) by defining

Ti,1(q)def=

{t ∈ Ti(q) t is not a self-loop of A

},

Ti,2(q)def=

{t ∈ Ti(q) \ Ti,1(q) t is not a min≺ Fi(q)-transition

}, and

Ti,3(q)def= Ti(q) \

(Ti,1(q) ∪ Ti,2(q)

).

(If Fi(q) = ∅, then we consider no transition in Ti(q) to be a min≺ Fi(q)-transition in the definition of Ti,2(q).)

Assume that V ′i and Fi have already been defined for some 0 ≤ i < ω, and

assume also that the labels of the nodes at level i of G′ form a subset of thenode labels at the corresponding level of G, i.e., L′(V ′

i ) ⊆ L(Vi) (this clearlyholds for the level V ′

0 of G′). We now choose for all q ∈ L′(V ′i ) a transition

ti,q = 〈q,Γi,q, Fi,q, Q′i,q〉 ∈ Ti,k(q), where k ∈ {1, 2, 3} is the least index of

a nonempty partition of Ti(q) (because Ti(q) 6= ∅ holds, such a partitionalways exists). That is, we choose ti,q from Ti(q) by preferring non-self-loops

over self-loops and self-loops that are not min≺ Fi(q)-transitions over otherself-loops.

Write⋃q∈L′(V ′

i )Q′i,q = {qi,1, . . . , qi,ni

} for some 0 ≤ ni < ω (where qi,j 6=

qi,k for all 1 ≤ j, k ≤ ni, j 6= k). Define the level i + 1 of G′ as a set of ninew nodes V ′

i+1def= {vi,1, . . . , vi,ni

}, and let L′(vi,j)def= qi,j for all 1 ≤ j ≤ ni.

Because the labeling L is consistent in G, it follows immediately thatL′(V ′

i+1) ⊆ L(Vi+1), and thus we can repeat the same inductive construc-

tion at level i + 1 of G′ after first defining the function Fi+1. For all q ∈ Q,let

Fi+1(q)def=

Fi,q if q ∈ L′(V ′i ) ∩Q

′i,q and Fi(q) = ∅

Fi,q ∩ Fi(q) if q ∈ L′(V ′i ) ∩Q

′i,q and Fi(q) 6= ∅

∅ otherwise.

In the first two cases, the transition ti,q is well-defined (because q ∈ L′(V ′i )

holds), and it is a self-loop of A starting from the state q (q ∈ Q′i,q). If

Fi(q) = ∅ holds, then Fi(q) has no ≺-minimal element. In this case wesimply initialize Fi+1(q) with the acceptance conditions of ti,q: clearly, (ti,q)is then a nonempty chain of self-loops through q that trivially share all accep-tance conditions in Fi,q.

Otherwise, if Fi(q) 6= ∅ already contains a ≺-minimal element, then themost recently defined levels of G′ contain a nonempty chain of edges corre-sponding to a chain of self-loops through q that share all acceptance condi-tions in Fi(q). The second case of the definition now guarantees that Fi+1(q)

will contain a condition f ∈ Fi(q) only if also the self-loop ti,q includes f in

its acceptance conditions. Therefore, Fi+1(q) has the intended meaning atlevel i+ 1 of G′.

Finally, if q /∈ L′(V ′i ) ∩ Q

′i,q holds, then no transition chosen from Ti(q)

starts or extends a chain of self-loops with source state q. In this case wedefine Fi+1(q) to be empty.

This completes the inductive definitions of V ′i and Fi. To define the edges


of G′, we let

E ′ def=

⋃

0≤i<ω

{〈v, V ′′〉 ∈ V ′

i × 2V′i+1 L′(V ′′) = Q′

i,L′(v)

}

and for all e = 〈v, V ′′〉 ∈ E ′ ∩ (V ′i × 2V

′i+1) (0 ≤ i < ω), L′(e)

def= ti,L′(v).

(G′ is a uniform run of A on w) We check that G′ is a uniform run of Aon w. It is easy to see that each level of G′ consists of uniquely labeled nodesby construction, and thusG′ satisfies the constraint required of uniform runs.It remains to be checked that G′ is a run of A on w.

(Partitioning) It follows directly from the definitions of V ′ and E ′ thatV ′

0 is a singleton, V ′ is partitioned into finite disjoint levels, and the edgesof E ′ lie between successive levels of G′.

(Forward causality and consistency of L′) Clearly L′(v′0) = qI holds.Let v ∈ V ′

i for some 0 ≤ i < ω. Because L′(v) ∈ L′(V ′i ) ⊆ L(Vi)

holds, G contains at least one node at level i labeled with the state L′(v),and because G satisfies the forward causality constraint, each such nodehas an outgoing edge labeled with a transition in Ti(q). Therefore thetransition ti,q = 〈q,Γi,q, Fi,q, Q

′i,q〉 ∈ Ti(q) is well-defined (i.e., ti,q = L(e)

for some e ∈ E). By the definition of G′, Q′i,q ⊆ L′(V ′

i+1) holds, and thus

there exists an edge e′ = 〈v, V ′′〉 ∈ E ′ ∩ (V ′i × 2V

′i+1). This edge is unique

in E ′, because all nodes at level i+ 1 of G′ are labeled with distinct statesof A. Furthermore, because L′(e′) = ti,q = L(e) holds and because L isconsistent, it follows that also the labeling L′ is consistent.

(Backward causality) If v′ ∈ V ′i for some 1 ≤ i < ω, then there exists a

state q ∈ L′(V ′i−1) ⊆ L(Vi−1) and a transition t = 〈q,Γ, F,Q′〉 ∈ Ti−1(q)

such that L′(v′) ∈ Q′ holds. Therefore, there exists a node v ∈ V ′i−1 and

an edge e = 〈v, V ′′〉 ∈ E ′ such that L′(v) = q and L′(V ′′) = Q′ hold.Because no two nodes in V ′

i have the same label, it follows that v′ ∈ V ′′,and thus v′ is a successor of v in G′.

We conclude that G′ is a uniform run of A on w.

(G′ is fin-accepting) If F = ∅, then fin(β) = ∅ obviously holds for allβ ∈ B(G′), and thus G′ is trivially fin-accepting.

Assume that F 6= ∅ holds, and G′ is not fin-accepting. Then G′ containsan infinite branch (ei)0≤i<ω ∈ B(G′) that violates the fin-acceptance condi-tion, and there exists a minimal index 0 ≤ j < ω such that the transitionsL′(ei) (j ≤ i < ω) share an acceptance condition f ∈ F .

On the other hand, if A is a self-loop alternating automaton, there exists aminimal index 0 ≤ k < ω such that all transitions L′(ei) are self-loops of Ahaving a common source state q ∈ Q for all k ≤ i < ω (Proposition 2.3.18).It now follows from the definition of G′ that for all k ≤ i < ω, the transitionL′(ei) is the transition chosen by the uniformization strategy from Ti(q) atlevel i, i.e., L′(ei) = ti,q = 〈q,Γi,q, Fi,q, Q

′i,q〉 holds. Furthermore, because

L′ is consistent, q ∈ L′(V ′i ) ∩Q

′i,q holds for all k ≤ i < ω.

Let `def= max{j, k}. Obviously, f ∈

⋂`≤i<ω Fi,q holds by the assumption.

Furthermore, there exists an index ` ≤ `′ < ω such that Fi(q) 6= ∅ holds forall `′ ≤ i < ω: for if Fi(q) = ∅ holds for some ` ≤ i < ω, then, because


q ∈ L′(V ′i )∩Q

′i,q holds, it follows from the definition of the function Fi+1(q)

that Fi+1(q) = Fi,q 3 f holds. Then, Fi′(q) 6= ∅ holds by induction on i′ for

all i + 1 ≤ i′ < ω, because the assumption that f ∈ Fi′(q) holds for somei+1 ≤ i′ < ω implies (because of the fact that q ∈ L′(V ′

i′)∩Q′i′,q holds) that

Fi′+1(q) = Fi′,q ∩ Fi′(q) 3 f . We may thus choose `′def= i+ 1 in this case.

Because Fi(q) 6= ∅ holds for all `′ ≤ i < ω, it is easy to see from thedefinition of the functions Fi(q) that Fi+1(q) ⊆ Fi(q) holds for all `′ ≤

i < ω. Because F`′(q) is finite, there exists an index `′ ≤ `′′ < ω and anonempty set of acceptance conditions F ⊆ F such that Fi(q) = F holdsfor all `′′ ≤ i < ω. Furthermore, F ⊆ Fi,q also holds for all `′′ ≤ i < ω. Let

fmindef= min≺ F be the ≺-minimal acceptance condition in F .

Let `′′ ≤ i < ω, and let v ∈ Vi be a node in G labeled with the state q(such a node exists, because q ∈ L′(V ′

i ) ⊆ L(Vi) holds). Because ti,q is aself-loop of A that is also an fmin-transition, so is the transition labeling theedge that starts from the node v in G (otherwise the uniformization strategywould have preferred this transition when choosing a transition from Ti(q)).Because the labeling L is consistent, the node v has a successor in G that islabeled with the state q. By induction on i, it follows that G contains an infi-nite branch with an infinite suffix of edges labeled with fmin-transitions of A.But thenG cannot be a fin-accepting run of A onw, which is a contradiction.It follows that G′ is a uniform fin-accepting run of A on w.

(If) The result follows in this direction immediately because all uniform

fin-accepting runs of A on w are obviously fin-accepting. �

4.2 NONDETERMINIZATION CONSTRUCTION

The expressive equivalence of alternating and nondeterministic automata onfinite words follows already from the first results on alternation [Kozen 1976;Chandra and Stockmeyer 1976; Brzozowski and Leiss 1980; Chandra et al.1981]. Miyano and Hayashi [1984a,b] showed that this expressive equiva-lence carries over to infinite words for automata working in inf-acceptancemode using a single acceptance condition associated with states of the au-tomaton. Isli [1994, 1996] used a construction similar to the one of Miyanoand Hayashi to show that an alternating automaton with n states, m of whichare designated “accepting”, can be translated into a nondeterministic au-tomaton with at most (2

3)m · 3n states. The expressive equivalence of alter-

nating and nondeterministic automata under more general notions of accep-tance and types of input was investigated (and proved) by Lindsay [1988],Emerson and Jutla [1991] and Muller and Schupp [1995].

On the other hand, the translation of alternating automata into nonde-terministic automata was considered also for automata with structural con-straints. Muller et al. [1986, 1992] presented a construction for translatingweak alternating automata on infinite trees into nondeterministic automataworking in inf-acceptance mode. Very weak automata on words were furtherstudied by Rohde [1997], who proposed a construction for translating veryweak alternating automata working on transfinite words into nondeterminis-tic automata, and Gastin and Oddoux [2001], who showed that every very


weak alternating automaton on infinite words (with n states, m of which areassociated with a single inf- or fin-acceptance condition) can be translatedinto an equivalent nondeterministic automaton having at most 2n states andm inf-acceptance conditions on transitions. As a matter of fact, this construc-tion applies directly also to automata with a relaxed notion of one-weakness[Ben-David et al. 2005]; the knowledgeable reader may note the similarityof the construction with a special case of the construction of Muller et al.[1986, 1992]. Similar ideas can be found also in the construction of Fritz[2005]. Hammer et al. [2005] use a nondeterminization construction thatpreserves state-based acceptance; their construction is correct, however, onlyfor a subclass of very weak alternating automata they call simple linear weakalternating automata.

In this section we generalize the result of Gastin and Oddoux [2001] toself-loop alternating automata with multiple fin-acceptance conditions asso-ciated with their transitions. Similarly to Gastin and Oddoux’s construction,we build from a self-loop alternating automaton with n states an equivalentnondeterministic automaton with 2n states. If the self-loop alternating au-tomaton has m acceptance conditions, the nondeterministic automaton hasat most nm acceptance conditions. This worst-case upper bound is optimalfor our nondeterminization construction; special cases in which this blow-upcan be avoided (such as when the alternating automaton is built from an LTLformula using the translation rules) are discussed in Sect. 4.3.

4.2.1 Universal Subset Construction

Consider a uniform run of a self-loop alternating automaton A. Becauseeach level of this run comprises a (possibly empty) set of nodes labeled withdistinct states of A, the labels of the nodes in the level form a subset of statesof A with no duplicates. Intuitively, this run can be seen as a run of an-other automaton on the same input by collapsing each level of the run intoa single node and the edges between each pair of consecutive levels into asingle edge between the nodes representing the levels (see Fig. 4.1), and bydefining a labeling for these nodes and edges. The nonbranching nature ofthe node sequence that emerges suggests that a transition labeling an edge inthe sequence should not have more than one target state to ensure the con-sistency of the labeling. Because each uniform run of A can be identifiedin a similar way with a nonbranching sequence of nodes, it follows that theunderlying automaton can actually be made nondeterministic. The states ofthis automaton are subsets of states of A, and its transitions are obtained by“synchronizing” transitions of A starting from a given subset of states.

The above intuition for simulating self-loop alternating automata withnondeterministic automata resembles very closely the well-known subsetconstruction of Rabin and Scott [1959] used for simulating nondetermin-istic automata on finite words with deterministic automata (i.e., automatawhose every state has a unique successor on each symbol of the alphabet). Inthe case of alternating automata, however, the subsets consist of the currentstates of the active copies of the alternating automaton, instead of possiblecurrent states of a single copy of the automaton. The above intuitive con-struction suggests combining a set of transitions taken at a particular level


Fig. 4.1: Collapsing the levels of a uniform run of an alternating automaton into anonbranching sequence of nodes

of a run by a collection of active copies of an alternating automaton into atransition that simulates the change effected by the transitions in the set ofthe active copies of the automaton. Because the labeling of the run is consis-tent, all of these transitions include the current input symbol in their guard.This fact suggests defining the guard of the simulating transition as the setintersection of the guards of the individual transitions taken by the copies ofthe alternating automaton. We sometimes refer to this principle of definingthe states and transitions of a nondeterministic automaton as the universalsubset construction for self-loop alternating automata (to distinguish it fromthe classic “existential” construction for nondeterministic automata on finiteinputs).2

We have not yet considered how to define the acceptance conditions forthe transitions of the nondeterministic automaton. Similarly to the targetstates and the guard of a transition that simulates a set of transitions, it wouldseem possible to define the acceptance conditions of the simulating transi-tion as a direct combination (such as the union) of the acceptance conditionsof the other transitions. This intuitive idea is not correct in the general case,however. Below, we present a construction that introduces new acceptanceconditions for the nondeterministic automaton; the fact that these new accep-tance conditions are indeed necessary for the universal subset constructionin the general case will be shown in Sect. 4.2.3.

Theorem 4.2.1 Let A = 〈Σ, Q,∆, qI ,F〉 be a self-loop alternating automa-ton. Define the automaton A′ =

⟨Σ, 2Q,∆′, {qI}, Q × F

⟩, where, for all

Q′ ∈ 2Q, Γ ⊆ Σ, F ⊆ Q×F and Q ⊆ 2Q,

〈Q′,Γ, F,Q〉 ∈ ∆′ iff for all q ∈ Q′, there exists a transition 〈q,Γq,Fq, Q

′q〉 ∈ ∆ such that Γ =

⋂q∈Q′ Γq, F =⋃

q∈Q′∩Q′q

({q} × Fq

), and Q =

{ ⋃q∈Q′ Q′

q

}

hold.

(In particular,⟨∅,Σ, ∅, {∅}

⟩∈ ∆′.) The automaton A′ is nondeterministic,

and Lfin(A) = Lfin(A′) holds.

2We note that there is no corresponding “existential” subset construction for translat-ing arbitrary nondeterministic automata on infinite words into inf - or fin-equivalent deter-ministic automata, because nondeterministic and deterministic automata are not expres-sively equivalent under these notions of acceptance (see, for example, [Vardi 1996]): ingeneral, a more complex notion of acceptance is needed for the deterministic automaton[McNaughton 1966; Safra 1988].


Proof: It is clear from the definition that the target states of each transition ofA′ are singletons (containing a subset ofQ), and thus A′ is nondeterministic.We show that A and A′ are fin-equivalent.

(Lfin(A) ⊆ Lfin(A′)) Let G = 〈V,E, L〉 be a uniform fin-accepting run of

A on w ∈ Σω. We construct a fin-accepting run G′ = 〈V ′, E ′, L′〉 of A′ onw.

(Definition of G′) Let V ′ def=

⋃0≤i<ω{v

′i} (with V ′

i

def= {v′i} for all 0 ≤ i <

ω), E ′ def=

⋃0≤i<ω

{〈v′i, V

′i+1〉

}, and L′(v′i)

def= L(Vi) for all 0 ≤ i < ω. To

define the label of the edge starting from the node v′i (0 ≤ i < ω), we firstwrite Vi = {vi,1, . . . , vi,ni

} for some 0 ≤ ni < ω (where vi,j 6= vi,k holds forall 1 ≤ j, k ≤ ni, j 6= k). Because G is uniform, L(vi,j) = qi,j 6= qi,k =L(vi,k) holds for all 1 ≤ j, k ≤ ni (j 6= k), and thus there are ni distincttransitions Ti ⊆ ∆ labeling edges starting from the nodes in Vi:

Tidef=

⋃

1≤j≤ni

{L(〈vi,j, V

′′〉)

〈vi,j, V′′〉 ∈ E

}=

⋃

1≤j≤ni

{〈qi,j,Γi,j, Fi,j, Q

′i,j〉

}.

The label of the edge 〈v′i, V′i+1〉 (0 ≤ i < ω) is then given by L′

(〈v′i, V

′i+1〉

)def=⟨ ⋃

1≤j≤ni{qi,j},

⋂1≤j≤ni

Γi,j,⋃

1≤j≤niqi,j∈Q′

i,j

({qi,j} × Fi,j

),{⋃

1≤j≤niQ′i,j

}⟩.

(G′ is a run of A′ on w) We check that the graph G′ satisfies all constraintsrequired of a run of A′ on w.

(Partitioning) Obviously V ′0 = {v′0} is a singleton, and G′ is partitioned

into finite disjoint levels with edges between consecutive levels.

(Causality) Clearly, each level of G′ contains only one node, and for all0 ≤ i < ω, the node v′i ∈ V ′

i has the unique outgoing edge 〈v′i, V′i+1〉 ∈ E ′.

On the other hand, the node v′i ∈ V ′i (1 ≤ i < ω) is a successor of the

node v′i−1 ∈ V ′i−1.

(Consistency of L′) It is clear from the definition thatL′(v′0) = L(V0) =

L({v0}

)= {qI} holds. Let 0 ≤ i < ω, and let v = v′i ∈ V ′

i . Because Ti ⊆∆ holds, it follows from the definition of A′ that ∆′ contains the transition⟨ ⋃

1≤j≤nj{qi,j},

⋂1≤j≤ni

Γi,j,⋃


i,j

({qi,j}×Fi,j

),{⋃

1≤j≤niQ′i,j

}⟩=

L′(〈v′i, V

′i+1〉

). Because G is a run, w(i) ∈ Γi,j holds for all 1 ≤ j ≤ ni,

and thusw(i) ∈⋂

1≤j≤niΓi,j holds. Furthermore, because L is consistent,

it follows that⋃

1≤j≤ni{qi,j} =

⋃1≤j≤ni

{L(vi,j)

}= L(Vi) = L′(v′i) and{ ⋃

1≤j≤niQ′i,j

}=

{L(Vi+1)

}=

{L(v′i+1)

}= L(V ′

i+1) hold. Thereforealso the labeling L′ is consistent.

We conclude that G′ is a run of A′ on w.

(G′ is fin-accepting) Suppose that G′ is not fin-accepting. Then there ex-ists an index 0 ≤ j < ω and an acceptance condition 〈q, f〉 ∈ Q × F suchthat for all j ≤ i < ω, the transition L′

(〈v′i, V

′i+1〉

)∈ ∆′ is a 〈q, f〉-transition.

Let j ≤ i < ω. By the definition of L′, Ti contains an f -transition t ∈ ∆(with source state q) that is a self-loop of A. Because t is the consistent labelof an edge starting from a node v ∈ Vi with L(v) = q, v has a successorin Vi+1 that is also labeled with the state q. Furthermore, this successor isthe only node in Vi+1 that has q as its label, because G is uniform. By in-duction on i, it follows that G contains an infinite branch with an infinite


suffix of edges labeled with f -transitions. This contradicts the assumptionthat G is fin-accepting. Therefore G′ is a fin-accepting run of A′ on w, andLfin(A) ⊆ Lfin(A

′) holds.

(Lfin(A′) ⊆ Lfin(A)) Let G′ = 〈V ′, E ′, L′〉 be a fin-accepting run of A′

on w ∈ Σω. Because A′ is nondeterministic, we may assume (without lossof generality) that G′ is uniform (Proposition 4.1.1). Therefore, every levelV ′i of G′ consists of a single node v′i for all 0 ≤ i < ω. Write L′(v′i) =

{qi,1, . . . , qi,ni} ∈ 2Q for some 0 ≤ ni < ω (where qi,j 6= qi,k holds for all

1 ≤ j, k ≤ ni, j 6= k) for all 0 ≤ i < ω. Similarly to the other direction, wedefine a fin-accepting run G = 〈V,E, L〉 of A on w.

(Definition of G) For all 0 ≤ i < ω, let Vi consist of ni new nodes Videf=

{vi,1, . . . , vi,ni}, and let L(vi,j)

def= qi,j for all 1 ≤ j ≤ ni. Clearly, no two

nodes in Vi have the same label, and L(Vi) = L′(v′i) holds for all 0 ≤ i < ω.Because G′ is a uniform run of a nondeterministic automaton, the node

v′i ∈ V ′ has the unique outgoing edge⟨v′i, {v

′i+1}

⟩∈ E ′ labeled with a

transition⟨L′(v′i),Γi, Fi,

{L′(v′i+1)

}⟩∈ ∆′ for some Γi ⊆ Σ and Fi ⊆ Q×F

for all 0 ≤ i < ω. By the definition of A′, there exist transitions ti,j =〈qi,j,Γi,j, Fi,j, Q

′i,j〉 ∈ ∆ for all 1 ≤ j ≤ ni such that Γi =

⋂1≤j≤ni

Γi,j,

Fi =⋃


i,j

({qi,j} × Fi,j

)and

{L′(v′i+1)

}=

{ ⋃1≤j≤ni

Q′i,j

}hold.

Let v ∈ Vi for some 0 ≤ i < ω; thus L(v) = qi,j ∈ L′(v′i) for some

1 ≤ j ≤ ni. We now define ei,jdef= 〈v, V ′′〉 ∈ Vi × 2Vi+1 by taking V ′′ to be

the unique subset of Vi+1 for which L(V ′′) = Q′i,j holds (such a subset exists,

because Q′i,j ⊆ L′(v′i+1) = L(Vi+1) holds, and it is unique, because all nodes

in Vi+1 have different labels). We then define Edef=

⋃0≤i<ω{ei,1, . . . , ei,ni

}

and L(ei,j)def= ti,j for all 0 ≤ i < ω and 1 ≤ j ≤ ni.

(G is a run of A on w) We check that G is a run of A on w.

(Partitioning) Because L′(v′0) = {qI}, n0 = 1 holds, and thus V0 is asingleton. Because the nodes of G′ are labeled with subsets of the finiteset Q, Vi is finite for all 0 ≤ i < ω (and disjoint from all other levels ofG by definition). By the definition of E, G has edges only between itsconsecutive levels.

(Causality) Let v = vi,j ∈ Vi for some 0 ≤ i < ω and 1 ≤ j ≤ ni. Bythe definition of G, v has the unique outgoing edge ei,j = 〈v, V ′′〉 ∈ E.

On the other hand, if v′ ∈ Vi holds for some 1 ≤ i < ω, then L(v′) =q′ ∈ L′(v′i) holds. Because G′ is a uniform run of a nondeterministicautomaton, v′i is a successor of the node v′i−1 ∈ V ′. Let t′ ∈ ∆′ be thetransition labeling the edge between these nodes in G′. Because L′(v′i) 6=∅, it follows from the definition of A′ that L′(v′i−1) 6= ∅, and there exists atransition t ∈ ∆ (with source state q ∈ L′(v′i−1)) which is a “component”in the transition t′ and includes q′ in its target states. By the definition ofG, Vi−1 now contains a node v with L(v) = q, and the edge starting fromthis node is labeled with the transition t. Thus v has a successor labeledwith the state q′. This successor is now necessarily the node v′, becausethe labels of nodes in Vi are distinct by definition.

(Consistency of L) Clearly L(V0) = {qI} holds. Let v = vi,j ∈ V

for some 0 ≤ i < ω and 1 ≤ j ≤ ni. By the definition of G, the


edge ei,j ∈ E starting from this node is labeled with the transition ti,j =〈qi,j,Γi,j, Fi,j, Q

′i,j〉 ∈ ∆. Clearly, L(v) = qi,j holds, and L(V ′′) = Q′

i,j

holds by the definition of ei,j. Furthermore, because G′ is a run, w(i) ∈Γi =

⋂1≤k≤ni

Γi,k holds. In particular, w(i) ∈ Γi,j holds, and thus thelabeling L is consistent.

(G is fin-accepting) Assume that G is not fin-accepting. Then there existsan index 0 ≤ j < ω, an acceptance condition f ∈ F and an infinite branch(ei)0≤i<ω ∈ B(G) such that L(ei) is an f -transition for all j ≤ i < ω. Be-cause A is a self-loop alternating automaton, we may choose j large enoughsuch that the transitions L(ei) are self-loops of A (with source state q ∈ Q) forall j ≤ i < ω (Proposition 2.3.18). Because ei ∈ E holds for all j ≤ i < ω,then L(ei) = ti,k = 〈q,Γi,k, Fi,k, Q

′i,k〉 holds for some 1 ≤ k ≤ ni. But then,

because ti,k is a self-loop and f ∈ Fi,k holds, it follows from the definition ofA′ that the transition L′

(⟨v′i, {v

′i+1}

⟩)is a 〈q, f〉-transition for all j ≤ i < ω,

which contradicts the assumption that G′ is fin-accepting. Therefore G is afin-accepting run of A on w, and Lfin(A

′) ⊆ Lfin(A). �

4.2.2 Number of States and Transitions in a Nondeterministic Automaton

It is easy to see that a nondeterministic automaton built from a self-loop al-ternating automaton with n states using the construction in Theorem 4.2.1has at most 2n states. By combining the translation from LTL to self-loopalternating automata (Sect. 3.1) with the construction, we obtain the follow-ing simple corollary on the complexity of translation of linear temporal logicformulas into nondeterministic automata. This upper bound for the numberof states is essentially the same as in the translations of Couvreur [1999] andGastin and Oddoux [2001] with the exception of an additive constant (thatarises because our automata have a unique initial state).

Corollary 4.2.2 Let ϕ ∈ LTL(AP) be any LTL formula built from the ele-ments of AP , the Boolean constants > and ⊥, and the connectives {¬,∨,∧,X,Us,Uw,Rs,Rw}. The language of the formula ϕ can be recognized bya nondeterministic automaton (working on the alphabet 2AP ) with at most1 + 2|Temp([ϕ]PNF)| ≤ 1 + 22·|Temp(ϕ)| = 1 + 4|Temp(ϕ)| states (1 + 2|Temp(ϕ)|

states, if ϕ itself is in positive normal form). (If ϕ is a binary pure temporalformula, the upper bound reduces to 2|Temp([ϕ]PNF)| states.)

Proof: Let ϕ be an LTL formula in the given form. By Corollary 3.2.2, thereexists a self-loop alternating automaton A (working on the alphabet 2AP )with at most 1 + Temp

([ϕ]PNF

)states (or at most Temp

([ϕ]PNF

)states if

ϕ is a binary pure temporal formula) such that Lfin(A) = L(ϕ) holds, andthis automaton can be built using the translation rules presented in Sect. 3.1.By the construction in Theorem 4.2.1, there exists a nondeterministic au-tomaton A′ that fin-accepts the same language. Because the subautomatonrooted at the initial state of this automaton has at most 2|Q| states (where Qis the state set of A), the result now follows immediately if ϕ is a binary puretemporal formula.

If ϕ is not a binary pure temporal formula, then the construction pre-sented in Theorem 4.2.1 yields a nondeterministic automaton with at most


21+|Temp([ϕ]PNF)| states. In this case, however, the alternating automaton Ahas no self-loops starting from its initial state qI ; furthermore, because A isa self-loop alternating automaton, no other transition of A can have qI asits target state, either. It follows from the definition of A′ that the subau-tomaton rooted at the initial state of A′ contains no states corresponding tonon-singleton subsets of Q that include the state qI . Therefore, the upperbound for the size of the subautomaton reduces to 1 + 2|Temp([ϕ]PNF)| states,and the result follows. �

We mention here that in the general case, the smallest nondeterministicautomaton (working on the alphabet 2AP) which recognizes the language ofan LTL formula (over the atomic propositions AP ) always has exponentiallymany states in the number of pure temporal subformulas of the formula. Forexample [Wolper 2001], it is possible to express the behavior of an n-bit bi-nary counter that resets itself infinitely often as an LTL formula over n atomicpropositions with O(n) pure temporal subformulas (hence, as a self-loop al-ternating automaton withO(n) states), but a corresponding nondeterministicautomaton working on the same alphabet has no less than 2n states.

It is easy to see from the construction in Theorem 4.2.1 that every tran-sition of the nondeterministic automaton built from a self-loop alternatingautomaton is defined in terms of a subset of transitions of the self-loop alter-nating automaton. Therefore, the nondeterministic automaton built from aself-loop alternating automaton A = 〈Σ, Q,∆, qI ,F〉 cannot have more than2|∆| transitions. Combining this upper bound directly with the exponential(2O(|ϕ|)) upper bound for the number of transitions in a self-loop alternatingautomaton built from an LTL formula ϕ ∈ LTL(AP) using the translationrules presented in Sect. 3.1 (see Sect. 3.2.2) yields a doubly exponential up-per bound (in |ϕ|) for the number of transitions in a nondeterministic au-tomaton built for the formula ϕ. The number of transitions can neverthelessbe shown to be, in effect, only singly exponential in |ϕ|; the details follow inSect. 4.3.4.

4.2.3 Number of Acceptance Conditions

Given a self-loop alternating automaton A = 〈Σ, Q,∆, qI ,F〉, the construc-tion of Theorem 4.2.1 gives a simple upper bound (|Q| · |F|) for the num-ber of acceptance conditions in a fin-equivalent nondeterministic automatonbuilt from A by applying the universal subset construction. A more accu-rate upper bound can be found by observing that the nondeterministic au-tomaton built from A using the construction has a 〈q, f〉-transition (for some〈q, f〉 ∈ Q × F ) only if q ∈ Q is an f -state of A. Because the accep-tance conditions for which no corresponding transitions exist do not affectfin-acceptance (clearly, none of these conditions can appear in the label ofan edge in any infinite branch of a run of the automaton), these conditionscan be safely removed from the nondeterministic automaton without chang-ing its language. A more accurate upper bound for the number of acceptanceconditions needed for the nondeterministic automaton is thus given by theequation ∑

f∈F

|{q ∈ Q : q is an f -state of A}| ≤ |Q| · |F|.


The |Q| · |F| upper bound in nevertheless tight if the states and transitionsof the nondeterministic automaton are to be defined using the universal sub-set construction.

Proposition 4.2.3 A nondeterministic automaton built from a self-loop al-ternating automaton with 1 ≤ n < ω states and 1 ≤ m < ω acceptanceconditions (and an alphabet of at least nm symbols) using the universal sub-set construction needs nm acceptance conditions to recognize the languageof the alternating automaton in the worst case.

Proof: Let Σ be a finite alphabet, and let w ∈ Σω. We use the notation

occ(w)def= {σ ∈ Σ | w(i) = σ for some 0 ≤ i < ω} for the set of symbols

occurring in w, and inf(w)def= {σ ∈ Σ | w(i) = σ for infinitely many

0 ≤ i < ω} for the set of symbols which occur in w infinitely many times.Let {Σn,m}1≤n,m<ω be a family of alphabets, where the alphabet Σn,m

(1 ≤ n,m < ω) is the union of n pairwise disjoint m-symbol alphabets Σ′i,m

(1 ≤ i ≤ n), i.e., Σn,mdef=

⋃ni=1 Σ′

i,m, where Σ′i,m

def= {σi,1, σi,2, . . . , σi,m},

and Σ′i,m ∩ Σ′

j,m = ∅ holds for all 1 ≤ i, j ≤ n, i 6= j. Define also the corre-sponding family of languages {Ln,m}1≤n,m<ω, where, for all 1 ≤ n,m < ω,

Ln,mdef=

{w ∈ Σω

n,m Σ′1,m ⊆ inf(w), and if Σ′

i,m∩occ(w) 6= ∅ forsome 2 ≤ i < ω, then also Σ′

i,m ⊆ inf(w)}

.

Let 1 ≤ n,m < ω be fixed. We show that the language Ln,m can be fin-recognized by a self-loop alternating automaton (on the alphabet Σn,m) withn states and m acceptance conditions, but a nondeterministic automatonbuilt from the alternating automaton using the universal subset constructionneeds at least nm acceptance conditions to fin-recognize the same language.

Let 2 ≤ i ≤ n. It is easy to check that the language{w ∈ Σω

n,m Σ′i,m ⊆

inf(w)}

is fin-recognized by the single-state automaton Ai with m + 1 self-

loops and m acceptance conditions Fmdef= {f1, f2, . . . , fm}; formally, Ai

def=⟨

Σn,m, {qi},∆i, qi,Fm

⟩, where

∆idef=

{⟨qi,{σi,j},Fm\{fj},{qi}

⟩1≤j≤m

}∪

{⟨qi,Σn,m\Σ′

i,m,Fm,{qi}⟩}

.

Clearly, for all σ ∈ Σn,m, there is a unique transition in ∆i that includes σ inits guard.

We now use the automata Ai (2 ≤ i < ω) to build an automaton An,m

that fin-recognizes the language Ln,m. Similarly to the automata Ai, An,m

has an initial state q1 used for checking that the input of the automaton con-tains infinitely many occurrences of each symbol in Σ′

1,m. Whenever theautomaton reads a symbol from some Σ′

i,m (2 ≤ i < ω), it spawns a copyof the automaton Ai to check that the input contains also infinitely manyoccurrences of each symbol in Σ′

i,m. The automaton always keeps a copy of

itself in its initial state. Formally, An,mdef= 〈Σn,m, Qn,∆n,m, q1,Fm〉, where

Qndef= {q1, q2, . . . , qn} and

∆n,mdef=

{⟨q1, {σ1,i},Fm \ {fi}, {q1}

⟩1 ≤ i ≤ m

}

∪{⟨q1,Σ

′i,m,Fm, {q1, qi}

⟩2 ≤ i ≤ n

}

∪⋃ni=2 ∆i.


{σ1,1}

{σ2,1}

{σ2,1}

{σ3,1}

{σ3,1}

{σ1,1, σ2,1}{σ1,1, σ3,1}

q1

q2 q3

{σ1,1}{σ1,1}

{σ1,1}

{σ1,1}

{σ2,1}

{σ2,1}

{σ2,1}

{σ2,1}{σ3,1}

{σ3,1}

{σ3,1}

{σ3,1}

{q1}

{q1, q2} {q1, q3}

{q1, q2, q3}

(a) (b)

Fig. 4.2: Examples of automata used in the proof of Proposition 4.2.3. (a) Theautomaton A3,1. (b) State–transition structure of the nondeterministic automatonobtained from A3,1 using the universal subset construction (transitions with emptyguards and states not reachable from the initial state omitted)

It is easy to see that An,m is a self-loop alternating automaton, because thereare no transitions from any state qi ∈ Qn (2 ≤ i ≤ n) to another stateq ∈ Qn \ {qi}. For illustration, see Fig. 4.2 (a) for the automaton A3,1.

Observe that, for all q ∈ Qn and σ ∈ Σn,m, ∆n,m again contains a uniquetransition with source state q and σ in its guard. Thus the automaton hasa run on every w ∈ Σω

n,m, and the run on w is unique with respect to thesets of states and transitions labeling the nodes at the levels and the edgesstarting from the levels, respectively. Obviously, the run always contains aninfinite branch that stays in the state q1, and if Σ′

i,m ∩ occ(w) 6= ∅ holds forsome 2 ≤ i ≤ n, the run contains also an infinite branch that convergesto the state qi. It is therefore easy to see that the run is fin-accepting only ifw ∈ Ln,m holds. On the other hand, it is straightforward to check that allruns of An,m on w are fin-accepting if w ∈ Ln,m, and thus the automatonAn,m fin-recognizes the language Ln,m.

Let A′n,m be the nondeterministic automaton on the alphabet Σn,m ob-

tained from An,m by defining its states 2Qn and transitions ∆′n,m using the

universal subset construction, where we deliberately give each transition ofA′n,m an empty set of acceptance conditions (see Fig. 4.2 (b) for illustra-

tion). Observe again that for every subset Q′ ⊆ Qn and every symbol σ ∈Σn,m, A′

n,m has a unique transition⟨Q′,Γ, ∅, {Q′′}

⟩∈ ∆′

n,m (Γ ⊆ Σn,m,Q′′ ⊆ Qn) such that σ ∈ Γ holds. In particular, A′

n,m contains the transitionchain

(⟨{q1, . . . , qi},Σ

i+1m , ∅,

{{q1, . . . , qi, qi+1}

}⟩)1≤i≤n−1

. Furthermore, it

is straightforward to check from the construction that for all σ ∈ Σn,m, ∆′n,m

contains the transition⟨Qn, {σ}, ∅, {Qn}

⟩(and these are the only transitions

with a nonempty guard starting from the state Qn).Assume that there is a way to define the acceptance conditions of the

transitions of A′n,m as subsets of a set F with less than nm elements such

that A′n,m fin-recognizes the language Ln,m. Let u = σ1,1σ2,1 · · ·σn,1. It

follows by the above discussion that the nodes at any level greater than orequal to n in a run of A′

n,m on an infinite word of the form uv (v ∈ Σωn,m)

are all labeled with the state Qn. Because u contains a symbol from eachΣ′i,m, uv ∈ Ln,m holds only if v contains infinitely many occurrences of

each symbol in Σn,m. Therefore, A′n,m fin-accepts the language Ln,m only


if the subautomaton (A′n,m)Qn fin-recognizes the language of infinite words

containing infinitely many occurrences of each symbol of the alphabet Σn,m.

The language fin-accepted by (A′n,m)Qn is obviously empty if all self-loops⟨

Qn, {σ}, ∅, {Qn}⟩∈ ∆′

n,m (σ ∈ Σn,m) are f -transitions for some f ∈ F .Thus there exists a set of at most |F| self-loops that includes for each f ∈ F aself-loop that is not an f -transition. Because the guards of these self-loops aresingleton subsets of Σn,m, it follows that A′

n,m fin-accepts all words of the formuwω for some permutation w of the symbols in the guards of these self-loops.But then, because w = |F| < nm holds, uwω contains only finitely manyoccurrences of some symbol σ ∈ Σn,m. This contradicts the assumption thatthe automaton A′

n,m fin-recognizes the language Ln,m. Therefore, F musthave at least nm conditions (which is also sufficient by Theorem 4.2.1). �

4.3 AUTOMATA WITH ACCEPTANCE SYNCHRONIZED RUNS

The universal subset construction provides an intuitive way for translatingself-loop alternating automata into fin-equivalent nondeterministic automatadue to its resemblance to the classic existential subset construction for nonde-terministic finite word automata. The construction is also essentially optimalwith respect to the blow-up in the number of states in the automaton. How-ever, as shown in Sect. 4.2.3, translating a self-loop alternating automatonwith n states into an equivalent nondeterministic one using the constructionmay necessitate an n-fold increase in the number of the automaton’s accep-tance conditions. Consequently, the procedure obtained by combining therule-based translation of LTL into self-loop alternating automata (Sect. 3.1)with the nondeterminization construction of Theorem 4.2.1 maps a formulawith n syntactically distinct pure temporal subformulas (m of which are bi-nary temporal subformulas) into a nondeterministic automaton with O(nm)acceptance conditions. However, most procedures for translating LTL intonondeterministic automata with multiple inf- or fin-acceptance conditions(beginning already with the procedure of Gerth et al. [1995] and, in partic-ular, including that of Gastin and Oddoux [2001]) manage to do the transla-tion using O(m) conditions for the nondeterministic automaton. The infe-rior worst-case performance of the proposed construction appears to be a con-sequence of associating acceptance with the transitions instead of the statesof the automata.

In this section, we shall introduce a subclass of alternating automata thatcan be translated into nondeterministic automata without any blow-up in thenumber of acceptance conditions. The subclass is characterized by a combi-nation of structural and semantic properties that guarantee the existence ofa special kind of accepting runs that allows simplifying the universal subsetconstruction. It occurs that the self-loop alternating automata built from LTLformulas using the translation rules presented in Sect. 3.1 trivially belong tothis subclass of automata. Therefore, these automata can be translated intonondeterministic automata with at most as many acceptance conditions asin automata built using previously known constructions. In principle, ourresult is analogous to that of Hammer et al. [2005]: whereas they identifya subclass of automata which can be translated into nondeterministic au-


Fig. 4.3: Principle of fin-acceptance synchronization. A level labeled on top of thefigure with the symbol • (resp. ◦) contains no edges labeled with the acceptancecondition • (◦); a fin-acceptance synchronized run has infinitely many such levelsfor both conditions

tomata without giving up state-based acceptance, our subclass of self-loopalternating automata (with transition-based acceptance) admits translationinto nondeterministic automata without introducing new acceptance condi-tions. Furthermore, similarly to the simple linear weak alternating automataof Hammer et al. [2005], our subclass is not less expressive than the class ofself-loop alternating automata since its expressiveness captures all of LTL.

4.3.1 Acceptance Synchronicity

As seen in Sect. 4.1, the question on the existence of an accepting run fora self-loop alternating automaton can be answered by considering only theuniform runs of the automaton. The key to optimizing the nondeterminiza-tion construction of Sect. 4.2 is to identify an even smaller subset of runs thatsatisfy certain requirements on the occurrence of transitions associated withacceptance conditions. We define this subset formally as follows.

Let G = 〈V,E, L〉 be a run of an alternating automaton A = 〈Σ, Q,∆,qI ,F〉 on an infinite word w ∈ Σω over the alphabet Σ (where V consistsof disjoint finite levels Vi as usual), and let f ∈ F be an acceptance con-dition. We say that the run G is fin-synchronized with respect to f iff thereexist infinitely many 0 ≤ i < ω such that no transition that labels an edgestarting from a node at level i of G is an f -transition of A. The run G isfin-acceptance synchronized iff G is fin-synchronized with respect to all ac-ceptance conditions in F . (The definition of inf-synchronicity with respect toa condition f ∈ F is analogous: we simply require that G contain infinitelymany levels, all edges starting from which are labeled with f -transitions. Asbefore, we nevertheless consider only fin-acceptance in the following to sim-plify the discussion.)

Intuitively, if a fin-acceptance synchronized run of A on w is interpreted(in the standard way) as a description of the behavior of A’s copies workingin parallel on the input w, then, although every copy of the automaton worksindependently of the other copies, the copies nevertheless “cooperate” inthis run with respect to every acceptance condition f ∈ F by avoiding f -transitions at certain (infinitely many) positions of the input (see Fig. 4.3 forillustration). It is easy to see that every fin-acceptance synchronized run of Ais a fin-accepting run of A.

Proposition 4.3.1 Let G = 〈V,E, L〉 be a run of an alternating automatonA = 〈Σ, Q,∆, qI ,F〉 on some w ∈ Σω. If G is fin-acceptance synchronized,


then w ∈ Lfin(A) holds.

Proof: If B(G) = ∅, then the claim holds trivially. Otherwise let β =

(ei)0≤i<ω ∈ B(G) (ei ∈ E ∩ (Vi × 2Vi+1)) be an infinite branch in G. Weshow that fin(β) = ∅ holds, that is, f /∈ fin(β) holds for all acceptance con-ditions f ∈ F . This is clear for the condition f ∈ F if no edge in β islabeled with an f -transition; otherwise, if L(ej) is an f -transition for some0 ≤ j < ω, then, because G is fin-acceptance synchronized, there exists anindex j < k < ω such that no edge in E ∩ (Vk × 2Vk+1) is labeled withan f -transition. In particular, this implies that L(ek) is not an f -transition.Because j is arbitrary, β contains infinitely many edges not labeled with anf -transition, and thus f /∈ fin(β) holds. Because the same reasoning appliesto all acceptance conditions, it follows that fin(β) = ∅ holds, and thus β isfin-accepting. Because β is arbitrary, it follows that G is a fin-accepting runof A on w. �

4.3.2 A Simplified Nondeterminization Construction

By Proposition 4.3.1, an alternating automaton A working on infinite wordsover the alphabet Σ fin-accepts a word w ∈ Σω whenever A has a fin-acceptance synchronized run on w. The same result clearly holds in par-ticular for uniform fin-acceptance synchronized runs on w. If A has also theconverse property, i.e., if A has a uniform fin-acceptance synchronized runon all words w ∈ Lfin(A), then A can be translated into a fin-equivalentnondeterministic automaton that uses the same number of acceptance con-ditions as A. Such an automaton can again be built using the universal subsetconstruction. Actually, A need not even be a self-loop alternating automaton(however, it must have uniform fin-accepting runs in the sense of Sect. 4.1).

Theorem 4.3.2 Let A = 〈Σ, Q,∆, qI ,F〉 be an alternating automaton, andassume that, for all w ∈ Σω, w ∈ Lfin(A) holds iff A has a uniform fin-acceptance synchronized run on w. Define the automaton A′ =

⟨Σ, 2Q,∆′,

{qI},F⟩, where, for all Q′ ∈ 2Q, Γ ⊆ Σ, F ⊆ F and Q ⊆ 2Q,

〈Q′,Γ, F,Q〉 ∈ ∆′ iff for all q ∈ Q′, there exists a transition 〈q,Γq,Fq, Q

′q〉 ∈ ∆ such that Γ =

⋂q∈Q′ Γq, F =⋃

q∈Q′ Fq, and Q ={ ⋃

q∈Q′ Q′q

}hold.

The automaton A′ is nondeterministic, and Lfin(A′) = Lfin(A) holds.

Proof: The proof is similar to that of Theorem 4.2.1 (p. 76); clearly, the def-inition of A′ differs from the construction presented in Theorem 4.2.1 onlyin the definition of the acceptance conditions. The assumption on the ex-istence of uniform fin-acceptance synchronized runs is needed for showingthat all words fin-accepted by A are included in the language fin-recognizedby the automaton A′ (which is obviously nondeterministic by definition).

(Lfin(A) ⊆ Lfin(A′)) Let w ∈ Lfin(A). By the assumption, A has a uni-

form fin-acceptance synchronized run G = 〈V,E, L〉 on w. Let G′ =〈V ′, E ′, L′〉, V ′

i (the levels of G′ for all 0 ≤ i < ω) and Ti ⊆ ∆ (thetransitions that label edges starting from nodes at level 0 ≤ i < ω of G,


Ti =⋃

1≤j≤ni

{〈qi,j,Γi,j, Fi,j, Q

′i,j〉

}) be as defined in the corresponding

direction in the proof of Theorem 4.2.1 with the exception that we define

the label of the edge 〈v′i, V′i+1〉 ∈ E ′ (0 ≤ i < ω) as L′

(〈v′i, V

′i+1〉

)def=⟨ ⋃

1≤j≤ni{qi,j},

⋂1≤j≤ni

Γi,j,⋃

1≤j≤niFi,j,

{ ⋃1≤j≤ni

Q′i,j

}⟩to make the

edge labels match the transitions of A′, which have their acceptance con-ditions chosen directly from the set F . Similarly to Theorem 4.2.1, it is thenstraightforward to check thatG′ is a run of A′ on w. Note that this check doesnot require assuming that A is a self-loop alternating automaton.

Suppose thatG′ is not fin-accepting. Then there exists an index 0 ≤ j < ωand an acceptance condition f ∈ F such that the transition L′

(〈v′i, V

′i+1〉

)

is an f -transition for all j ≤ i < ω, and thus Ti contains an f -transition forall j ≤ i < ω. But then G has only finitely many levels with no outgoingedges labeled with f -transitions. This contradicts the assumption that G isfin-acceptance synchronized (in particular, fin-synchronized with respect tof ). Therefore G′ is fin-accepting, and w ∈ Lfin(A

′) holds.

(Lfin(A′) ⊆ Lfin(A)) Let w ∈ Lfin(A

′). It is again easy to check that the

graph G = 〈V,E, L〉 defined in the corresponding direction of the proof ofTheorem 4.2.1 (from a uniform fin-accepting run G′ = 〈V ′, E ′, L′〉 of thenondeterministic automaton A′ on w) is a run of A on w. (Because G′ is auniform run of a nondeterministic automaton, then V ′

i = {v′i} is a singletonfor all 0 ≤ i < ω.)

If G is not fin-accepting, then there exists an infinite branch (ei)0≤i<ω ∈B(G), an acceptance condition f ∈ F , and an index 0 ≤ j < ω such that thetransition L(ei) is an f -transition for all j ≤ i < ω. Because L(ei) ∈ ∆ is (bydefinition of A′) a “component” in the transition L′

(⟨v′i, {v

′i+1}

⟩)that labels

the edge between levels i and i+ 1 of G′ (cf. the proof of Theorem 4.2.1), itfollows that L′

(⟨v′i, {v

′i+1}

⟩)is also an f -transition for all j ≤ i < ω. This is

a contradiction, because G′ was assumed to be fin-accepting. We concludethat w ∈ Lfin(A) holds. �

Alternating automata that have uniform fin-acceptance synchronized runson all words in their language can thus be translated into nondeterministicautomata using the universal subset construction without introducing newacceptance conditions. Instead, the acceptance conditions of a transition inthe nondeterministic automaton can be defined simply as the union of theconditions in its component transitions. Because the translation is based onthe universal subset construction, it is again easy to see that the nondeter-ministic automaton built from an alternating automaton with n states and mtransitions has at most 2n states and 2m transitions.

4.3.3 Sufficient Conditions for Acceptance Synchronization

In this section we define a subclass of alternating automata which are guaran-teed to have uniform fin-acceptance synchronized runs on all words in theirlanguage (and which can thus be translated into nondeterministic automatausing the construction of Theorem 4.3.2). We first introduce the class andthen show that all automata in the class have this property.


Terminology

We use the following terminology for characterizing our class of alternatingautomata. Let A = 〈Σ, Q,∆, qI ,F〉 be a fixed alternating automaton.

Let 〈q,Γ, F,Q′〉 ∈ ∆ be a transition of A, and let f ∈ F be an acceptancecondition. We say that the transition is f -closed iff f ∈ F implies that Q′

contains an f -state. The automaton A is f -closed iff all of its transitions aref -closed. Intuitively, this means that every finite chain of f -transitions in Acan be extended into an infinite one. Finally, A is acceptance closed (withrespect to F ) iff it is f -closed for all acceptance conditions f ∈ F .

Example 4.3.3 The self-loop alternating automaton shown in Fig. 2.7 (p. 37)is not •-closed, because it contains the transition

⟨q6, {b}, {•}, {q8}

⟩having

no •-states as its target states. The automaton is ◦-closed, however. The au-tomaton obtained from this automaton by removing acceptance conditionsfrom its non-self-loop transitions (Fig. 2.8, p. 39) is both •- and ◦-closed andtherefore acceptance closed (with respect to the set of acceptance conditions{•, ◦}). �

Let q ∈ Q. By Proposition 2.3.15, the subautomaton Aq fin-accepts a wordw ∈ Σω iff it has an initial transition 〈q,Γ, F,Q′〉 ∈ ∆ such that w(0) ∈ Γholds, and (Aq)q

′(= Aq′) fin-accepts w1 for all q′ ∈ Q′. We say that Aq

fin-accepts w by avoiding an initial f -transition (notation: w ∈ Lffin(Aq))

if one of the transitions satisfying this condition is not an f -transition of A.(Obviously, if q is not an f -state of A, then Lffin(A

q) = Lfin(Aq) holds.)

Let f ∈ F be an acceptance condition. We say that the state q ∈ Q is anf -representative state iff q is an f -state, and for all w ∈ Σω,

• if w ∈ Lffin(Aq) ∩ Lfin(A

q′) holds for some f -state q′ ∈ Q, then w ∈

Lffin(Aq′), and

• if w ∈ Lffin(Aq′) holds for some f -state q′ ∈ Q, then there exists an

index 0 ≤ i < ω such that wi ∈ Lffin(Aq) holds.

Intuitively, if the alternating automaton A has an f -representative state forone of its acceptance conditions f ∈ F , then the f -states that occur as la-bels of nodes in a fin-accepting run of A determine certain input positionsat which the active copies of the automaton could (but do not have to) “co-operate” with respect to the condition f by not taking f -transitions. If a levelin the run contains a node labeled with an f -representative state such thatthe edge starting from this node is not labeled with an f -transition, then allactive subautomata of the automaton could fin-accept the input from thatposition onward by avoiding an initial f -transition. On the other hand, if therun contains a node labeled with another (not necessarily f -representative)f -state such that the edge starting from this node is not labeled with an f -transition, then there exists a subsequent input position at which all activecopies of the automaton could avoid taking f -transitions. As we shall showlater in this section, the existence of an f -representative state in an f -closedalternating automaton implies that every fin-accepting run of the automatoncan be synchronized with respect to the condition f .


q•

q•

q•q•

q′q′

q′

q′′q′′q′′q′′

q′′

w(i) w(j) w(j′)

Fig. 4.4: Implications of the occurrence of •-states as node labels in a fin-acceptingrun of an alternating automaton

Example 4.3.4 Figure 4.4 depicts parts of a fin-accepting run of an alternat-ing automaton A with a •-representative state q• on an input w. The statesq′ and q′′ are two nonrepresentative •-states of the automaton; the circledlevels identify input positions at which copies of the automaton in any •-state could (but do not need to) avoid taking a •-transition. The justificationfor this is given by the transition corresponding to the rightmost thick edgethat starts from the same or a preceding level of the run. Formally, becausewi ∈ L•

fin(Aq•) ∩ Lfin(A

q′) ∩ Lfin(Aq′′) and wj ∈ L•

fin(Aq′) hold, it follows

from the definition of representative states that wi ∈ L•fin(A

q′) ∩ L•fin(A

q′′)and wj

′∈ L•

fin(Aq•) hold (in which case also wj

′∈ L•

fin(Aq′′) holds). �

Guaranteeing the Existence of Acceptance Synchronized RunsOur main result in this section is the following:

Proposition 4.3.5 Let A = 〈Σ, Q,∆, qI ,F〉 be an acceptance closed al-ternating automaton such that for all acceptance conditions f ∈ F , if Ahas an f -state, then it has also an f -representative state. For all w ∈ Σω,w ∈ Lfin(A) holds iff A has a uniform fin-acceptance synchronized run onw.

To prove the proposition, we need one additional definition and a relatedresult. Let f ∈ F be an acceptance condition of an f -closed alternatingautomaton A = 〈Σ, Q,∆, qI ,F〉 with an f -representative state qf ∈ Q. LetIA,f : Σω → 2N be a function defined, for all w ∈ Σω, by the rule

IA,f(w)def=

{0 ≤ i < ω wi ∈ Lffin(A

qf )}

.

Intuitively, the function IA,f maps every word w ∈ Σω to the set of indices ithat identify the exact set of suffixes of the word w that are fin-recognized bythe subautomaton Aqf by avoiding an initial f -transition. This function is ob-viously well-defined because one of wi ∈ Lffin(A

qf ) or wi /∈ Lffin(Aqf ) always

holds for all w ∈ Σω and 0 ≤ i < ω (however, it need not be computable forall w in a finite number of steps). Clearly, if |IA,f(w)| < ω holds, then theset {0}∪IA,f(w) contains a maximal element. In this case it also follows thatevery subautomaton rooted at an f -state of A fin-accepts only finitely manysuffixes of w:

Lemma 4.3.6 Let A = 〈Σ, Q,∆, qI ,F〉 be an f -closed alternating automa-ton with an f -representative state qf ∈ Q for some f ∈ F , and let w ∈ Σω.


If |IA,f(w)| < ω holds, then wi /∈ Lfin(Aq) holds for all f -states q ∈ Q and

indices max({0} ∪ IA,f (w)

)< i < ω.

Proof: Because IA,f (w) is finite, kdef= max

({0} ∪ IA,f (w)

)< ω exists. Sup-

pose that the subautomaton Aq fin-accepts wi for some f -state q ∈ Q andk < i < ω, and let G = 〈V,E, L〉 be a fin-accepting run of Aq on wi.

Let 〈q,Γ, F,Q′〉 ∈ ∆q (Γ ⊆ Σ, F ⊆ F and Q′ ⊆ Q) be the initialtransition of Aq labeling the edge between the first two levels of G. If f /∈ Fholds, then wi ∈ Lffin(A

q) holds. Because qf is an f -representative state of A,there exists an index 0 ≤ j < ω such that the subautomaton Aqf fin-accepts(wi)j = wi+j by avoiding an initial f -transition. But then i + j ∈ IA,f (w)holds, which contradicts the assumption that i > k = max

({0} ∪ IA,f(w)

)

holds. Therefore the transition 〈q,Γ, F,Q′〉 is an f -transition.Because A is f -closed, Q′ contains an f -state q′ ∈ Q′. Because L is con-

sistent, the node v0 at level 0 of G has a successor v1 ∈ V1 labeled with q′;furthermore, the subgraph of G rooted at v1 is a fin-accepting run of (Aq)q

′

(= Aq′) on (wi)1 by Proposition 2.3.9. Because q′ is an f -state of A, a sim-ilar reasoning shows that also the edge starting from v1 is labeled with anf -transition of A, and v1 has a successor labeled with an f -state of A. By in-duction, it follows that G contains an infinite branch, all edges of which arelabeled with f -transitions. But then B(G) contains an infinite branch that isnot fin-accepting, and thus G cannot be fin-accepting, either, contrary to ourassumption. Therefore wi /∈ Lfin(A

q) holds. �

Proof of Proposition 4.3.5 (Only if): Without loss of generality, we may as-

sume that A has an f -transition (hence, an f -state) for all acceptance condi-tions f ∈ F : obviously, acceptance conditions not occurring in any tran-sition of A can be discarded without affecting fin-acceptance. Let w ∈Lfin(A). If A has no acceptance conditions (F = ∅), then w ∈ Lfin(A)holds iff A has a run on w, iff A has a uniform run on w (Proposition 4.1.1),and every run of A is trivially fin-acceptance synchronized. We may thusassume that F = {f1, f2, . . . , fn} holds for some 1 ≤ n < ω such that A hasan fi-representative state qfi

∈ Q for all 1 ≤ i ≤ n. We define a uniformfin-acceptance synchronized run G = 〈V,E, L〉 of A on w.

(Definition of G) We define the levels of G inductively: first, let V0def=

{v0,1} and L(v0,1)def= qI . For each level Vi in G (0 ≤ i < ω), we define

also a set of edges Ei starting from nodes in Vi, and an integer 0 ≤ ci ≤ nthat is used to guide the inductive construction. To guarantee that G is fin-acceptance synchronized, we need to ensure that G is fin-synchronized withrespect to all acceptance conditions f ∈ F . The integers ci are used to makesure that each acceptance condition is treated fairly in the construction: forall i, ci will either have the special value 0, or it identifies an acceptance con-dition fci ∈ F for which we should try to define a level having no outgoing

edges labeled with fci -transitions. Let c0def= 0.

Assume that Vi={vi,1, vi,2, . . . , vi,ni}, L(Vi)={qi,1, qi,2, . . . , qi,ni

} (where0 ≤ ni < ω, L(vi,j) = qi,j and L(vi,j) 6= L(vi,k) hold for all 1 ≤ j, k ≤ ni,j 6= k), and ci have already been defined for some 0 ≤ i < ω, and assumealso that wi ∈ Lfin(A

qi,j) holds for all 1 ≤ j ≤ ni. (This is clear if i = 0,because L(V0) = {qI}, and w0 = w ∈ Lfin(A) = Lfin(A

qI).)


Because Aqi,j fin-accepts wi for all 1 ≤ j ≤ ni, there exist transitionsti,j = 〈qi,j ,Γi,j, Fi,j, Q

′i,j〉 ∈ ∆qi,j ⊆ ∆ (for some Γi,j ⊆ Σ, Fi,j ⊆ F and

Q′i,j ⊆ Qqi,j ⊆ Q) such that w(i) ∈ Γi,j holds for all 1 ≤ j ≤ ni, and Aq′

fin-accepts wi+1 for all q′ ∈⋃

1≤j≤niQ′i,j (Proposition 2.3.15). Furthermore,

if ci 6= 0, and qi,j is not an fci -state or if i ∈ IA,fci(w) holds (in which case

wi ∈ Lffin(Aqfci ) holds for the fci -representative state qfci

), it follows thatAqi,j fin-accepts wi by avoiding an initial f -transition, and thus the transitionti,j can be chosen so that fci /∈ Fi,j holds. In other words, if i ∈ IA,fci

(w)holds, then we can choose the transitions ti,j such that fci /∈

⋃1≤j≤ni

Fi,jholds.

Let⋃

1≤j≤niQ′i,j = {qi+1,1, qi+1,2, . . . , qi+1,ni+1

} (where 0 ≤ ni+1 < ω,and the states qi+1,j are pairwise distinct). Define Vi+1 as a set of ni+1 new

nodes Vi+1def= {vi+1,1, vi+1,2, . . . , vi+1,ni+1

}, and let L(vi+1,j)def= qi+1,j for all

1 ≤ j ≤ ni+1. By construction, no two nodes in Vi+1 have the same label,and because L(Vi+1) =

⋃1≤j≤ni

Q′i,j , it follows that for every 1 ≤ j ≤ ni,

there exists a unique subset V ′i,j ⊆ Vi+1 such that L(V ′

i,j) = Q′i,j holds. Let

Eidef=

{〈vi,j, V

′i,j〉 1 ≤ j ≤ ni

}, and for all 1 ≤ j ≤ ni, let L

(〈vi,j, V

′i,j〉

)def=

ti,j. Finally, let

ci+1def=

ci if ci 6= 0, |IA,fci(w)| = ω and

i /∈ IA,fci(w)

(ci + 1) mod(|F| + 1

)otherwise.

This completes the inductive definition of Vi+1, Ei and ci+1; clearly, theconstruction ensures also that wi+1 ∈ Lfin(A

L(v)) holds for all v ∈ Vi+1. We

then define Vdef=

⋃0≤i<ω Vi and E

def=

⋃0≤i<ω Ei.

(G is a uniform run of A on w) It is clear that each level of G consists ofnodes with distinct labels, and thus G satisfies the constraint required of uni-form runs of A. We check that G is a run of A on w.

(Partitioning) Obviously V0 = {v0,1} is a singleton, and E consists ofedges connecting pairwise disjoint consecutive levels of G by definition.

(Forward causality) Let v ∈ Vi for some 0 ≤ i < ω. Then v = vi,jholds for some 1 ≤ j ≤ ni. Clearly, Ei ⊆ E contains the edge 〈vi,j, V

′i,j〉,

and this is the only edge starting from vi,j in G.

(Backward causality) Let v′ ∈ Vi for some 1 ≤ i < ω. Then there existsa transition t = 〈q,Γ, F,Q′〉 for some Γ ⊆ Σ, F ⊆ F and Q′ ⊆ Q suchthat L(v′) ∈ Q′ holds, and Vi−1 contains a node v with L(v) = q. By thedefinition of E, the node v has the outgoing edge 〈v, V ′〉 ∈ E such thatL(V ′) = Q′ holds. Because no two nodes at level Vi have the same label,it follows that v′ ∈ V ′ holds, and thus v′ is a successor of the node v atlevel Vi−1 in G.

(Consistency of L) Clearly L(v0,1) = qI . Let e = 〈vi,j, V′i,j〉 ∈ E be an

edge in E for some 0 ≤ i < ω and 1 ≤ j ≤ ni. By the definition of L, thisedge is labeled with the transition ti,j = 〈qi,j,Γi,j, Fi,j, Q

′i,j〉 ∈ ∆ such

that w(i) ∈ Γi,j holds. The definition also guarantees that qi,j = L(vi,j)and Q′

i,j = L(V ′i,j) hold, and thus the labeling L is consistent.

(G is fin-acceptance synchronized) We show that G is fin-acceptance syn-chronized. First, it is easy to see that ci+1 6= ci holds for infinitely many


indices 0 ≤ i < ω: otherwise there would exist an index 0 ≤ i < ω suchthat cj = ci and fcj = fci = f hold for all i ≤ j < ω. By the definition ofthe integers cj, it follows that cj = ci 6= 0, |IA,f(w)| = ω and j /∈ IA,f (w)hold for all i ≤ j < ω. But this is impossible, because the assumption thatj /∈ IA,f (w) holds for all i ≤ j < ω would imply that |IA,f(w)| < ω holds, acontradiction. Therefore, ci+1 6= ci holds for infinitely many i, and becausethe integers ci are defined incrementally modulo |F| + 1, it follows that forall f ∈ F , there are infinitely many indices 0 ≤ i < ω such that ci 6= 0 andfci = f hold.

Let f ∈ F . If |IA,f(w)| < ω holds, then kdef= max

({0} ∪ IA,f (w)

)< ω

exists. Suppose that Ei contains an edge labeled with an f -transition of Afor some k < i < ω. Because the labeling L is consistent, the source nodev ∈ Vi of this edge is labeled with an f -state of A, and AL(v) fin-acceptswi bythe inductive definition of G. However, this is impossible by Lemma 4.3.6.ThereforeG contains only finitely many levels with an outgoing edge labeledwith an f -transition of A, and thus G is fin-synchronized with respect to theacceptance condition f .

Otherwise |IA,f(w)| = ω holds. Let 0 ≤ i < ω be any of the (infinitelymany) indices such that ci 6= 0 and fci = f hold, and let i ≤ j < ω bethe least index greater than or equal to i for which cj+1 6= ci holds. By thedefinition of cj+1, it follows that j ∈ IA,f (w) holds in this case. But then thedefinition of G guarantees that Ej has no edges labeled with an f -transitionof A. It follows that G is fin-synchronized with respect to the acceptancecondition f .

Because f is arbitrary, G is fin-synchronized with respect to all of its ac-ceptance conditions, and thus G is a uniform fin-acceptance synchronizedrun of A on w.

(If) This direction follows immediately from Proposition 4.3.1. �

The following result is an immediate consequence of Proposition 4.3.5.

Corollary 4.3.7 Let A = 〈Σ, Q,∆, qI ,F〉 be an acceptance closed alternat-ing automaton that has an f -representative state for all acceptance conditionsin F for which it has an f -state. The automaton A can be translated into afin-equivalent nondeterministic automaton without introducing new accep-tance conditions by applying the construction presented in Theorem 4.3.2.

Proof: By Proposition 4.3.5, A fin-accepts a word w ∈ Σω iff A has a uni-form fin-acceptance synchronized run on w. Obviously, this is exactly theprecondition for applying Theorem 4.3.2. �

4.3.4 Application to Translation of LTL into Nondeterministic Automata

As a simple first example on using the optimized nondeterminization con-struction of Theorem 4.3.2, we consider automata built from LTL formulasusing the translation rules presented in Sect. 3.1. (The results of this sectionare needed further in Ch. 5 where we consider alternative translation rules.)It is easy to see that all automata built using the rules are acceptance closedalternating automata that have representative states for all of their acceptanceconditions.


Lemma 4.3.8 Let A = 〈2AP , Q,∆, qI ,F〉 be a self-loop alternating automa-ton built from an LTL formula ϕ ∈ LTLPNF(AP) using the translation rulespresented in Sect. 3.1. The automaton A is an acceptance closed automatonthat has an f -representative state for every acceptance condition f ∈ F .

Proof: Let f ∈ F be an acceptance condition. As observed in Sect. 3.1.1,all f -transitions of A are self-loops of A, and they have the same sourcestate qf ∈ Q (which corresponds to the initial state of a subautomaton builtfor a binary pure temporal subformula of ϕ with a strong binary temporalmain connective). Therefore A is f -closed, and the state qf is trivially anf -representative state, because it is the only f -state of A. The result followsbecause the same holds for all acceptance conditions f ∈ F . �

Consequently, the following result holds for the sizes of components in anondeterministic automaton built from an LTL formula.

Corollary 4.3.9 Let ϕ ∈ LTL(AP) be an LTL formula. The language L(ϕ)can be fin-recognized by a nondeterministic automaton with at most 1 +2|Temp([ϕ]PNF)| states (at most 2|Temp([ϕ]PNF)| states if ϕ is a binary pure temporal

formula), 2O(|ϕ|) transitions, and at most ndef=

{(ϕ1 ◦ ϕ2) ∈ Sub

([ϕ]PNF

):

◦ ∈ {Us,Rs}}

acceptance conditions.

Proof: Let A = 〈2AP , Q,∆, qI ,F〉 be the self-loop alternating automatonbuilt from [ϕ]PNF using the translation rules presented in Sect. 3.1. It isclear from the discussion in Sect. 3.2.3 that this automaton has at most nacceptance conditions. By Lemma 4.3.8, A is an acceptance closed au-tomaton with representative states for all of its acceptance conditions, andit follows by Corollary 4.3.7 that A can be translated into a nondeterminis-tic automaton with at most n acceptance conditions using the constructionof Theorem 4.3.2. Because this construction is based on the universal sub-set construction, the upper bound for the number of states follows from thediscussion in Sect. 4.2.2.

By the definition of the construction in Theorem 4.3.2, every transition inthe nondeterministic automaton is an element of the set 2Q×22AP

×2F×22Q.

Because the target state set of every transition consists of only a single subsetof Q, however, it is easy to see that the size of the set of possible target statesets is bounded by 2|Q|. Additionally, because the guards of transitions inthe alternating automaton A are conjunctions of atomic formulas (Booleanconstants or literals referring to atomic propositions that occur in the formula[ϕ]PNF), also the guards in the nondeterministic automaton can be writtenas such conjunctions. Furthermore, it is easy to see from the semantics ofLTL that no Boolean constant or a literal need occur in any conjunctiontwice; therefore, because the order of the atomic formulas in a conjunctionis not relevant, either, the number of these conjunctions is bounded by 22·|ϕ|.Because also |Q| ∈ O

(|ϕ|

)and |F| = n ∈ O

(|ϕ|

)hold, it follows that the

nondeterministic automaton has 2O(|ϕ|) transitions as argued. �

Admittedly, the above result is almost embarrassingly trivial at this point inlight of the number of theoretical definitions and results we used to reach it.As a matter of fact, we could have obtained this result by appealing directly


to the properties of the rules for translating LTL formulas into alternating au-tomata: because the self-loop alternating automaton A = 〈2AP , Q,∆, qI ,F〉built from the positive normal form of an LTL formula ϕ ∈ LTL(AP) hasonly one f -state for every acceptance condition f ∈ F (see Sect. 3.1.1), itis easy to conclude by the discussion in Sect. 4.2.3 that no more than |F|acceptance conditions are needed for the nondeterministic automaton builtfrom A, even if it were built using the general nondeterminization construc-tion of Theorem 4.2.1. The results presented in this section will prove to beuseful in the next chapter, where we introduce new translation rules whichmay sometimes increase the number of f -states (for an acceptance condi-tion f ) in the self-loop alternating automaton. By showing that the new rulespreserve acceptance closure and the existence of representative states for theacceptance conditions, we can then appeal to Corollary 4.3.7 to concludethat the automaton can still be translated into a nondeterministic automatonby using the universal subset construction of Theorem 4.3.2.

As a further theoretical curiosity, we note (analogously to Hammer et al.[2005]) that acceptance closed self-loop alternating automata with represen-tative states for their acceptance conditions provide a “normal form” for self-loop alternating automata. A naive effective procedure for translating anyself-loop alternating automaton into this form can be obtained by first trans-lating the automaton into a linear temporal logic formula (Sect. 3.4) and thentranslating this formula back into an alternating automaton using the transla-tion rules of Sect. 3.1; this automaton is in the normal form by Lemma 4.3.8.If the original automaton has n states and m acceptance conditions, then,by Proposition 3.4.4 and Corollary 3.2.2, the automaton obtained via thisconstruction has O

(n(1 +m)

)states and as many acceptance conditions.

4.4 LANGUAGES ACCEPTED BY SUBAUTOMATA OF A NONDETERMINIS-

TIC AUTOMATON

We note here a simple consequence of Theorem 4.2.1 and Theorem 4.3.2that extends them into subautomata of the nondeterministic automaton ob-tained by applying the construction of Theorem 4.2.1 to a self-loop alternat-ing automaton, or the construction of Theorem 4.3.2 to an acceptance closedalternating automaton that has representative states for all of its acceptanceconditions.

Proposition 4.4.1 Let A = 〈Σ, Q,∆, qI ,F〉 be a self-loop alternating au-tomaton, or an acceptance closed alternating automaton with an f -represen-tative state for all acceptance conditions f ∈ F for which it has an f -state,and let And =

⟨Σ, 2Q,∆nd, {qI},Fnd

⟩be the nondeterministic automaton

obtained from A using the construction of Theorem 4.2.1 or Theorem 4.3.2,respectively. For all Q′ ⊆ Q,

⋂q∈Q′ Lfin(A

q) = Lfin

((And)

Q′)holds.

Proof: The result obviously holds if Σ = ∅ (in this case⋂q∈Q′ Lfin(A

q) =

Lfin

((And)

Q′)= ∅). Assume that Σ 6= ∅ holds. Let σ ∈ Σ be a fixed symbol

of the alphabet Σ.

Let A+ def= 〈Σ, Q+,∆+, q+

I ,F〉 be the alternating automaton obtained

from A by definingQ+ def= Q∪{q+

I } for some new state q+I not included inQ,


and ∆+ def= ∆∪

{〈q+I , {σ}, ∅, Q

′〉}

. Because no transition of A+ includes thestate q+

I in its target states, A+ has the same loops as A, and thus A+ is a self-loop alternating automaton if A is such an automaton. For the same reason,it is easy to see that (A+)q = Aq holds for all q ∈ Q. Furthermore, becauseq+I is not an f -state for any f ∈ F , A+ has the same f -states, f -transitions,

and subautomata rooted at an f -state as A for all acceptance conditions f ∈F . Therefore, if A is an acceptance closed alternating automaton with f -representative states for all f ∈ F for which it has an f -state, then so is A+.

It follows that the automaton A+ can be translated into a fin-equivalentnondeterministic automaton A+

nd =⟨Σ, 2Q

+,∆+

nd, {q+I },F

+nd

⟩by applying

the same construction that was used to build the nondeterministic automa-ton And from A. It is easy to see that A+

nd has the unique initial transition⟨{q+

I }, {σ}, ∅, {Q′}

⟩∈ ∆+

nd, and the target state of every transition of A+nd is

a subset ofQ (A+ has no transitions having q+I as a target state). Furthermore,

(A+nd)

Q′′= (And)

Q′′holds for all Q′′ ⊆ Q.

Let w ∈ Σω. Now, w ∈⋂q∈Q′ Lfin(A

q) holdsiff w ∈ Lfin(A

q) holds for all q ∈ Q′ (definition of set intersection)

iff Aq fin-accepts w for all q ∈ Q′ (definition of Lfin(Aq))

iff (A+)q fin-accepts w for all q ∈ Q′ ((A+)q = Aq for all q ∈ Q ⊇ Q′)

iff there exists a transition⟨q+I ,Γ, F,Q

′′⟩∈ ∆+ for some Γ ⊆ Σ, F ⊆ F

and Q′′ ⊆ Q+ such that σ ∈ Γ holds, and (A+)q fin-accepts w for allq ∈ Q′′ (A+ has the unique initial transition

⟨q+I , {σ}, ∅, Q

′⟩)

iff A+ fin-accepts σw (Proposition 2.3.15)

iff A+nd fin-accepts σw (Lfin(A

+nd) = Lfin(A+))

iff there exists a transition⟨{q+

I },Γ, F,Q⟩∈ ∆+

nd for some Γ ⊆ Σ, F ⊆

F+nd and Q ⊆ 2Q

+such that σ ∈ Γ holds, and (A+

nd)Q′′

fin-accepts w forall Q′′ ∈ Q (Proposition 2.3.15)

iff (A+nd)

Q′fin-accepts w

(A+nd has the unique initial transition

⟨{q+I }, {σ}, ∅, {Q

′}⟩∈ ∆+

nd)

iff (And)Q′

fin-accepts w ((A+nd)

Q′

= (And)Q′

)

iff w ∈ Lfin

((And)

Q′)holds. (definition of Lfin

((And)Q

′))

�

Proposition 4.4.1 reduces the problem of checking for the fin-emptinessof the intersection of languages fin-recognized by subautomata of a self-loopalternating automaton (with properties given in the proposition) to checkingfor the fin-emptiness of the language of a nondeterministic automaton whichcan be found by applying the universal subset construction of Theorem 4.2.1or Theorem 4.3.2.

4.5 ON-THE-FLY OPTIMIZATIONS TO NONDETERMINIZATION

In practice, the standard way to apply the universal subset construction usedin Theorem 4.2.1 and Theorem 4.3.2 to build a nondeterministic automatonthat recognizes the language of an alternating automaton (or an intersectionof languages of its subautomata, cf. Sect. 4.4) is to build only that part of the


nondeterministic automaton, the state set of which includes the initial stateof the automaton and is closed under the automaton’s transition relation.This phase is usually combined with on-the-fly heuristics to avoid generatingsome transitions [Gastin and Oddoux 2001; Fritz 2005] and to merge stateswith identical sets of outgoing transitions [Gastin and Oddoux 2001]; accord-ing to Gastin and Oddoux [2001], even such simple optimizations work wellin practice to simplify the nondeterministic automaton. As formal evidenceof this fact, Fritz [2005] showed a heuristic similar to the one suggested byGastin and Oddoux [2001] for avoiding the generation of transitions in thenondeterministic automaton to cover comparable optimizations that are im-plicit in the tableau-based algorithm of Daniele et al. [1999] for translatingLTL directly into nondeterministic automata.

Formally, Gastin and Oddoux’s nondeterminization construction for veryweak alternating automata implicitly uses the following result to avoid gener-ating some transitions in the construction. We state this result without proofonly for completeness.

Proposition 4.5.1 Let A = 〈Σ, Q,∆, qI ,F〉 be an alternating automaton,and let A′ =

⟨Σ, 2Q,∆′, {qI},F

′⟩

be the nondeterministic automaton ob-tained from A using one the universal subset constructions of Theorem 4.2.1or Theorem 4.3.2. Assume that the nondeterministic automaton A′ has twotransitions t1 =

⟨Q′

1,Γ1, F1, {Q′′1}

⟩∈ ∆′ and t2 =

⟨Q′

2,Γ2, F2, {Q′′2}

⟩∈ ∆′

(for some Q′1, Q

′2, Q

′′1, Q

′′2 ⊆ Q, Γ1,Γ2 ⊆ Σ and F1, F2 ⊆ F ′) such that

Γ2 ⊇ Γ1, F2 ⊆ F1 and Q′′2 ⊆ Q′′

1 hold. The automaton A′ is fin-equivalent

to the automaton A′′ def=

⟨Σ, 2Q,∆′ \ {t1}, {qI},F

′⟩

obtained from A′ byremoving the transition t1 from ∆′.

Intuitively, Proposition 4.5.1 implies that a nondeterminization construc-tion does not need to generate a transition t1 from a set of “component”transitions starting from a given set of states of the alternating automatonif the combination of another set of “component” transitions starting fromthese states corresponds to a transition t2 such that t1 and t2 satisfy the aboveconstraints.

We shall not consider the removal of transitions further in this section;instead, we review syntactic techniques originally proposed for direct trans-lation algorithms between LTL and nondeterministic automata [Gerth et al.1995; Daniele et al. 1999; Giannakopoulou and Lerda 2002] to illustratetheir applications to reducing the size of the state set of the nondetermin-istic automaton obtained via the universal subset construction from a self-loop alternating automaton built from an LTL formula in positive normalform. These applications follow from the correspondence between the statesof the alternating automaton and the node subformulas of the formula; byProposition 4.4.1, every state of a nondeterministic automaton obtained fromthe alternating automaton corresponds to the conjunction of a collection ofsuch subformulas.

4.5.1 Detecting Redundant States Using Syntactic Implications

By Corollary 2.3.11, the language recognized by any automaton remains thesame after removing from the automaton all states, the subautomata rooted


at which recognize the empty language. Given a self-loop alternating au-tomaton built from an LTL formula ϕ ∈ LTLPNF(AP), it follows directlyfrom this observation that the universal subset construction can ignore stateswhich correspond to unsatisfiable conjunctions of node subformulas of ϕ.Whether a conjunction of a finite set of LTL formulas Φ ⊆ LTLPNF(AP) isunsatisfiable can be estimated heuristically with simple syntactic checks. Forexample, the formula

∧ψ∈Φ ψ is easily seen to be unsatisfiable if one of the

following conditions holds:

• ⊥ ∈ Φ, or [¬ψ]PNF ∈ Φ for some ψ ∈ Φ;

•{[¬ψ1]

PNF, [¬ψ2]PNF

}⊆ Φ for some (ψ1 ◦ ψ2) ∈ Φ (◦ ∈ {∨,Us,Uw});

• [¬ψ1]PNF ∈ Φ for some (ψ1 ∧ ψ2) ∈ Φ; or

• [¬ψ2]PNF ∈ Φ for some (ψ1 ◦ ψ2) ∈ Φ (◦ ∈ {∧,Rs,Rw}).

To increase the likelihood of detecting a conjunction of a set of formulas tobe unsatisfiable using syntactic checks, Daniele et al. [1999] suggested firstextending this set with formulas that follow by syntactic implication fromthe formulas in the set. Such formulas can again be found by using simplerules to add formulas to the set. Formally, given a finite collection Φ′ ⊆LTLPNF(AP) of LTL formulas in positive normal form, Daniele et al. [1999]use a function SI : 2Φ′

→ 2Φ′∪{>} that maps every subset Φ ⊆ Φ′ to theminimal subset of Φ′ ∪ {>} that is closed under the following rules:

• Φ ∪ {>} ⊆ SI(Φ).

• If (ψ1 ∨ ψ2) ∈ Φ′ and ψ1 ∈ SI(Φ) hold, then (ψ1 ∨ ψ2) ∈ SI(Φ).

• If (ψ1 ◦ψ2) ∈ Φ′ and ψ2 ∈ SI(Φ) hold for some ◦ ∈ {∨,Us,Uw}, then(ψ1 ◦ ψ2) ∈ SI(Φ).

• If (ψ1 ◦ ψ2) ∈ Φ′ and{ψ1,X(ψ1 ◦ ψ2)

}⊆ SI(Φ) hold for some ◦ ∈

{Us,Uw} then (ψ1 ◦ ψ2) ∈ SI(Φ).

• If (ψ1◦ψ2) ∈ Φ′ and {ψ1, ψ2} ⊆ SI(Φ) hold for some ◦ ∈ {∧,Rs,Rw},then (ψ1 ◦ ψ2) ∈ SI(Φ).

• If (ψ1 ◦ ψ2) ∈ Φ′ and{ψ2,X(ψ1 ◦ ψ2)

}⊆ SI(Φ) hold for some ◦ ∈

{Rs,Rw} then (ψ1 ◦ ψ2) ∈ SI(Φ).

(Of course, the domain and range of SI need be restricted to finite setsof formulas only to ensure that the computation of SI(Φ) will eventuallyterminate; every LTL formula has infinitely many logically equivalent LTLformulas that differ from each other syntactically.)

The above rules can be used to infer the satisfaction of compound sub-formulas of Φ′ from the satisfaction of other formulas. If Φ′ is closed undertaking of node subformulas (i.e., if NSub(ψ) ⊆ Φ′ holds for all ψ ∈ Φ′), syn-tactic implication can be extended also in the converse direction by addingthe following closure rules that are (except for the first one) actually part ofthe standard procedure of computing “covers” of LTL formulas, a basic oper-ation used in tableau-based decision procedures for LTL [Manna and Wolper1982, 1984; Wolper 1985] and related algorithms for translating LTL directlyinto nondeterministic automata [Gerth et al. 1995; Daniele et al. 1999]:


• If{(ψ1 ◦ψ2), [¬ψi]

PNF}⊆ SI(Φ) holds for some ◦ ∈ {∨,Us,Uw} and

i ∈ {1, 2}, then ψ3−i ∈ SI(Φ).

• If (ψ1 ∧ ψ2) ∈ SI(Φ) holds, then ψ1, ψ2 ∈ SI(Φ).

• If (ψ1 ◦ ψ2) ∈ SI(Φ) holds for some ◦ ∈ {Rs,Rw}, then ψ2 ∈ SI(Φ).

It is straightforward to check (by induction on the number of closure rulesapplied to a set of formulas Φ) from the semantics of LTL that

∧ψ∈Φ ψ ≡∧

ψ∈SI(Φ) ψ holds. Therefore, if the conjunction of the formulas in SI(Φ) isunsatisfiable, then so is the conjunction of formulas in Φ. In our applicationof translating an LTL formula ϕ ∈ LTLPNF(AP) into a nondeterministicautomaton via a self-loop alternating automaton, it is natural to use the set ofϕ’s node subformulas (NSub(ϕ)) as the set Φ′.

4.5.2 Merging Syntactically Language-Equivalent States

Let SI be the function (with a domain 2Φ′for some finite set of formulas

Φ′ ⊆ LTLPNF(AP)) defined in the previous section. Clearly, if SI(Φ1) =SI(Φ2) holds for two sets of LTL formulas Φ1,Φ2 ⊆ Φ′, then also

∧ψ∈Φ1

ψ ≡∧ψ∈SI(Φ1) ψ ≡

∧ψ∈SI(Φ2) ψ ≡

∧ψ∈Φ2

ψ holds. Therefore, if Φ1 and Φ2 cor-respond to two different states in a nondeterministic automaton built froman LTL formula ϕ ∈ LTLPNF(AP) via a self-loop alternating automaton, itfollows that the subautomata rooted at these states recognize the same lan-guage. The fact that the function SI thus induces an equivalence relationbetween states of the automaton hints at a possibility to reduce the number ofstates in the nondeterministic automaton by “merging” language-equivalentstates (formally referred to as quotienting in the literature).

When working with automata on infinite words, language equivalencebetween two subautomata of a nondeterministic automaton is in general tooweak a relation to guarantee that the automaton obtained by quotientingremains equivalent to the original automaton (see, for example, [Somenziand Bloem 2000]). Therefore, algorithms for minimization by quotientingare usually based on equivalences under stronger simulation relations whichguarantee the correctness of a quotient construction directly [Etessami andHolzmann 2000; Somenzi and Bloem 2000; Etessami et al. 2001, 2005; Etes-sami 2002], or admit checking whether it is safe to apply a quotient construc-tion without resorting to a full language equivalence test between the originaland the minimized automaton [Gurumurthy et al. 2002]. (Not all simulationequivalences can be safely used for quotienting, either—see, e.g., [Etessamiet al. 2001, 2005; Bustan and Grumberg 2002, 2004] for discussion and ex-amples.) We shall show that the function SI induces one of the simplertype of these equivalences: two states can be safely merged whenever theyare found to be language-equivalent by computing syntactic implications.Instead of applying an explicit quotient construction to a nondeterministicautomaton built using the universal subset construction of Theorem 4.3.2,we embed the construction directly into the definition of a nondeterministicautomaton.

The idea of using equivalences based on syntactic implication to mergelanguage-equivalent states in a nondeterministic automaton is well-known


from tableau-based direct translation algorithms between LTL and nondeter-ministic automata [Daniele et al. 1999; Giannakopoulou and Lerda 2002].The details of using syntactic implications to optimize nondeterminizationconstructions for alternating automata have not been considered in the liter-ature, however. Our approach to minimization is nevertheless very similar tothe more general approach of Fritz [2003], who used simulation relations onalternating automata [Fritz and Wilke 2002, 2005] (computed as an indepen-dent step without making use of correspondences between states and LTLformulas) for optimizing the nondeterminization construction of Miyano andHayashi [1984a,b]. The simulation relations used in the approach are, how-ever, targeted for alternating automata with state-based acceptance using asingle acceptance condition (and an explicit partitioning of the states into“existential” and “universal” states [Miyano and Hayashi 1984a,b]) and arethus not directly compatible with our definition of alternating automata.

Optimizing Nondeterminization Using Syntactic ImplicationsIn the following, let A = 〈2AP , Q,∆, qI ,F〉 be a fixed alternating automatonbuilt from a given LTL formula ϕ ∈ LTLPNF(AP) using the translationprocedure outlined in Sect. 3.1. By the discussion in Sect. 3.1.1, there existsa bijective correspondence γ : Q → NSub(ϕ) between the states of A andthe node subformulas of ϕ such that (by the correctness of the translationprocedure, Theorem 3.3.2) for all q ∈ Q, Lfin(A

q) = L(γ(q)

)holds. Let

ι : 2NSub(ϕ) → 2NSub(ϕ) be a function that maps every set of node subformulasof ϕ to another set of node subformulas of ϕ such that

Φ ⊆ ι(Φ) and L( ∧

ψ∈Φ

ψ)⊆ L

( ∧

ψ∈ι(Φ)

ψ)

hold for all subsets Φ ⊆ NSub(ϕ). (Obviously, the first of these propertiesimplies by the semantics of LTL that the second condition is in fact equiv-alent to the condition

∧ψ∈Φ ψ ≡

∧ψ∈ι(Φ) ψ.) For example, it is easy to see

that the function SI defined in the previous section has these properties(technically, because > ∈ SI(Φ) always holds, we may need to replace theformula ϕ with e.g. the logically equivalent formula (ϕ ∧ >) to ensure thatSI is closed with respect to 2NSub(ϕ)). To simplify the notation, we treat thefunction ι as a mapping from 2Q to 2Q by writing (for a subset Q′ ⊆ Q) ι(Q′)in place of {

γ−1(ψ) ψ ∈ ι({γ(q) | q ∈ Q′}

)}

(where γ−1 is the inverse of γ). In this notation, it follows from the propertiesof the functions ι and γ that

Q′ ⊆ ι(Q′) and⋂

q∈Q′

Lfin(Aq) =

⋂

q∈ι(Q′)

Lfin(Aq)

hold for all subsets Q′ ⊆ Q.We intend to prove the following result:

Proposition 4.5.2 Let A = 〈2AP , Q,∆, qI ,F〉 and ι : 2NSub(ϕ) → 2NSub(ϕ)

be an alternating automaton (built from an LTL formula ϕ ∈ LTLPNF(AP))and a function (respectively) satisfying the above assumptions. Define the


automaton Aι =⟨2AP ,

{ι(Q′) Q′ ⊆ Q

},∆ι, ι

({qI}

),F

⟩, where, for all

Q′ ∈{ι(Q′′) Q′′ ⊆ Q

}, Γ ⊆ 2AP , F ⊆ F and Q ⊆

{ι(Q′′) Q′′ ⊆ Q

},

⟨Q′,Γ, F,Q

⟩∈ ∆ι iff for all q ∈ Q′, there exists a transition 〈q,Γq,

Fq, Q′q〉 ∈ ∆ such that Γ =

⋂q∈Q′ Γq, F =⋃

q∈Q′ Fq, and Q ={ι(⋃

q∈Q′ Q′q

)}hold.

The automaton Aι is nondeterministic, and Lfin(Aι) = Lfin(A) holds.

The definition of the automaton Aι is otherwise identical to the defini-tion of a nondeterministic automaton in the universal subset construction ofTheorem 4.3.2 except for changes used to ensure that the initial state andthe transition relation of Aι refer to elements of the state set

{ι(Q′) Q′ ⊆

Q}⊆ 2Q; it is easy to see that the automaton Aι is nondeterministic. Intu-

itively, instead of defining the target states of transitions of Aι as unions ofthe target states of their component transitions (from A) as in the universalsubset construction of Theorem 4.3.2, the construction in Proposition 4.5.2uses the function ι to direct transitions to states that are equivalent under therelation induced by ι into a single representative state; also the initial state ofthe automaton is replaced with its representative. More precisely, the transi-tions of the automaton Aι are related in the following way to the transitionsof the automaton defined from A using the construction in Theorem 4.3.2:

Lemma 4.5.3 Let Aι and And (with transitions ∆ι and ∆nd, respectively) bethe nondeterministic automata obtained from the self-loop alternating au-tomaton A using the constructions of Proposition 4.5.2 and Theorem 4.3.2,respectively. For all transitions

⟨Q′ι,Γι, Fι, {Q

′′ι }

⟩∈ ∆ι and all subsets Q′ ⊆

Q′ι, the automaton And has a transition

⟨Q′,Γnd, Fnd, {Q

′′nd}

⟩∈ ∆nd such

that Γnd ⊇ Γι, Fnd ⊆ Fι and Q′′nd ⊆ Q′′

ι hold.

Proof: Let⟨Q′ι,Γι, Fι, {Q

′′ι }

⟩∈ ∆ι be a transition of Aι, and let Q′ ⊆

Q′ι. By the definition of Aι, there exists, for all q ∈ Q′

ι, a transition tq =〈q,Γq, Fq, Q

′q〉 ∈ ∆ such that Γι =

⋂q∈Q′

ιΓq, Fι =

⋃q∈Q′

ιFq and Q′′

ι =

ι( ⋃

q∈Q′ιQ′q

)hold. Because Q′ ⊆ Q′

ι holds, the collection of transitions {tq |

q ∈ Q′} defines (in the automaton And) a transition⟨Q′,Γnd, Fnd, {Q

′′nd}

⟩=⟨

Q′,⋂q∈Q′ Γq,

⋃q∈Q′ Fq,

{⋃q∈Q′ Q′

q

}⟩∈ ∆nd, and the result follows be-

cause

Γnd =⋂q∈Q′ Γq ⊇

(⋂q∈Q′ Γq

)∩

( ⋂q∈Q′

ι\Q′ Γq

)=

⋂q∈Q′

ιΓq = Γι,

Fnd =⋃q∈Q′ Fq ⊆

(⋃q∈Q′ Fq

)∪

( ⋃q∈Q′

ι\Q′ Fq

)=

⋃q∈Q′

ιFq = Fι, and

Q′′nd =

⋃q∈Q′ Q′

q ⊆(⋃

q∈Q′ Q′q

)∪

( ⋃q∈Q′

ι\Q′ Q′

q

)=

⋃q∈Q′

ιQ′q

⊆ ι(⋃

q∈Q′ιQ′q

)= Q′′

ι

hold. �

It is now easy to show that the automaton Aι defined in Proposition 4.5.2from the alternating automaton A fin-recognizes no more words than A.

Lemma 4.5.4 Let A and Aι be the automata specified in Proposition 4.5.2.For all w ∈ Lfin(Aι), w ∈ Lfin(A) holds.


Proof: Let w ∈ Lfin(Aι). Because Lfin(And) = Lfin(A) holds for the non-deterministic automaton And (with transitions ∆nd) obtained from the au-tomaton A using the construction of Theorem 4.3.2, we prove the result byshowing that w ∈ Lfin(And) holds.

Let G = 〈V,E, L〉 be a fin-accepting run of Aι on w. Because Aι is anondeterministic automaton, we may assume that G is a uniform run of Aι

(Proposition 4.1.1). Therefore, V consists of an infinite number of levels Vi,each of which contains a single node vi ∈ Vi (0 ≤ i < ω), andG contains theunique infinite chain of edges (ei)0≤i<ω =

(⟨vi, {vi+1}

⟩)0≤i<ω

. We define

a relabeling L′ of V and E to obtain a fin-accepting run G′ = 〈V,E, L′〉 of

And on w. Let L′(v0)def= {qI}.

Assume that L′(vi) has been defined for some 0 ≤ i < ω, and assume alsothat L′(vi) ⊆ L(vi) holds (clearly, because G is a consistently labeled runof Aι, this assumption holds for i = 0 because L′(v0) = {qI} ⊆ ι

({qI}

)=

L(v0) holds). Because G is a run of Aι, the edge ei =⟨vi, {vi+1}

⟩is labeled

with the transition⟨L(vi),Γi, Fi,

{L(vi+1)

}⟩∈ ∆ι (for some Γi ⊆ 2AP

and Fi ⊆ F ) such that w(i) ∈ Γi holds. Because L′(vi) ⊆ L(vi) holds,it follows by Lemma 4.5.3 that the automaton And has a transition ti =⟨L′(vi),Γ

′i, F

′i , {Q

′′}⟩∈ ∆nd for some Γ′

i ⊇ Γi, F ′i ⊆ Fi and Q′′ ⊆ L(vi+1).

We now define L′(ei)def= ti and L′(vi+1)

def= Q′′; clearly, L′(vi+1) ⊆ L(vi+1)

holds, and we may complete the definition of the labeling L′ by inductionon i.

We claim that the graph G′ = 〈V,E, L′〉 is a fin-accepting run of And onw. Clearly, because G′ shares its nodes and edges with the run G, G′ satisfiesthe partitioning and causality constraints. Because w(i) ∈ Γi ⊆ Γ′

i andL′(ei) = ti =

⟨L′(vi),Γ

′i, F

′i ,

{L′(vi+1)

}⟩∈ ∆nd hold for all 0 ≤ i < ω, it

is easy to see that L′ is consistent. Furthermore, because fin((ei)0≤i<ω

)= ∅

holds in G and F ′i ⊆ Fi holds for all 0 ≤ i < ω, it follows that G′ is a

fin-accepting run of And on w, and thus w ∈ Lfin(And) = Lfin(A) holds. �

The following lemma establishes language containment in the conversedirection.

Lemma 4.5.5 Let A and Aι be the automata specified in Proposition 4.5.2.For all w ∈ Lfin(A), w ∈ Lfin(Aι) holds.

Proof: The proof relies on the fact that the automaton A is an acceptanceclosed alternating automaton that has an f -representative state for all of itsacceptance conditions f ∈ F (Lemma 4.3.8). Using this result, a straightfor-ward modification to the construction in the proof of Proposition 4.3.5 can beused to find a fin-acceptance synchronized run of Aι onw; thusw ∈ Lfin(Aι)follows by Proposition 4.3.1. The details are as follows.

As in the proof of Proposition 4.3.5, write F = {f1, f2, . . . , fn} for some0 ≤ n < ω. By Lemma 4.3.8, A has an fi-representative state qfi

∈ Q for all1 ≤ i ≤ n. Let w ∈ Lfin(A); we define a fin-acceptance synchronized runG = 〈V,E, L〉 of Aι on w.

(Definition of G) Let Vdef=

⋃0≤i<ω Vi =

⋃0≤i<ω{vi} (where vi 6= vj holds

for all 0 ≤ i, j < ω, i 6= j) and Edef=

⋃0≤i<ω

{〈vi, Vi+1〉

}. Obviously, the


unlabeled graph 〈V,E〉 satisfies the partitioning and causality constraints.We define the labeling L inductively as follows.

Let L(v0)def= ι

({qI}

). Identically to the proof of Proposition 4.3.5, we

define auxiliary integers c0, c1, c2, . . . (0 ≤ ci ≤ n for all 0 ≤ i < ω) to guide

the construction; let c0def= 0.

Assume that L(vi) has been defined for some 0 ≤ i < ω; write L(vi) ={qi,1, qi,2, . . . , qi,ni

} for some 0 ≤ ni < ω such that qi,j 6= qi,k holds for all 1 ≤j, k ≤ ni (j 6= k). Assume also that the labeling L is consistent up to level iof G (i.e., for all nodes vj ∈ V , 0 ≤ j ≤ i, and edges 〈vk, Vk+1〉 ∈ E, 0 ≤k < i), and that wi ∈ Lfin(A

q) holds for all q ∈ L(vi). These assumptionsclearly hold if i = 0: L(v0) = ι

({qI}

)is the initial state of Aι, and because

w0 = w ∈ Lfin(A) = Lfin(AqI) holds (Proposition 2.3.12), it follows from the

properties of the function ι and the definition of L(v0) that w0 ∈ Lfin(AqI) =⋂

q∈{qI}Lfin(A

q) =⋂q∈ι({qI})

Lfin(Aq) =

⋂q∈L(v0) Lfin(A

q) holds, i.e., Aq

fin-accepts w0 for all q ∈ L(v0).Because Aqi,j fin-accepts wi for all 1 ≤ j ≤ ni, there exist transitions

ti,j = 〈qi,j ,Γi,j, Fi,j, Q′i,j〉 ∈ ∆qi,j ⊆ ∆ (for some Γi,j ⊆ 2AP , Fi,j ⊆ F and

Q′i,j ⊆ Qqi,j ⊆ Q) such that w(i) ∈ Γi,j holds for all 1 ≤ j ≤ ni, and Aq′

fin-accepts wi+1 for all q′ ∈⋃

1≤j≤niQ′i,j (Proposition 2.3.15). Furthermore,

if ci 6= 0, and qi,j is not an fci -state or if i ∈ IA,fci(w) holds3, it follows from

the definition of f -representative states (Sect. 4.3.3) that Aqi,j fin-accepts wi

by avoiding an initial f -transition, and thus the transitions ti,j can be chosenso that fci /∈

⋃1≤j≤ni

Fi,j holds.We now extend the labeling L by defining

L(vi+1)def= ι

( ⋃1≤j≤ni

Q′i,j

),

L(〈vi, Vi+1〉

)def=

⟨ ⋃1≤j≤ni

{qi,j},⋂

1≤j≤niΓi,j,

⋃1≤j≤ni

Fi,j,{ι(⋃

1≤j≤niQ′i,j

)}⟩,

and, as in the proof of Proposition 4.3.5,

ci+1def=

ci if ci 6= 0, |IA,fci(w)| = ω and

i /∈ IA,fci(w)

(ci + 1) mod(|F| + 1

)otherwise.

Since wi+1 ∈⋂q′∈

S1≤j≤ni

Q′i,jLfin(A

q′) =⋂q′∈ι(

S1≤j≤ni

Q′i,j)

Lfin(Aq′) holds

by the properties of the function ι, it follows that Aq′ fin-accepts wi+1 for allq′ ∈ ι

( ⋃1≤j≤ni

Q′i,j

). Moreover, it is easy to see from the definition of Aι

that L(〈vi, Vi+1〉

)∈ ∆ι holds, and because w(i) ∈

⋂1≤j≤ni

Γi,j, L(vi) =⋃1≤j≤ni

{qi,j} and L(Vi+1) ={L(vi+1)

}=

{ι( ⋃

1≤j≤niQ′i,j

)}hold, the

labeling of the node vi+1 and the edge 〈vi, Vi+1〉 is consistent. It follows thatthe assumptions used in the inductive construction hold at level i + 1 of G,and we may repeat the construction. This completes the inductive definitionof L and the integers ci; by the inductive argument, it follows that the graphG = 〈V,E, L〉 is a run of Aι on w.

3As in Sect. 4.3.3, we define IA,f (w′)def

={0 ≤ i < ω Aqf fin-accepts (w′)i by avoiding

an initial f -transition}

for all f ∈ F and w′ ∈ (2AP )ω .


The reasoning used in the proof of Proposition 4.3.5 applies directly toshow that ci = f holds for infinitely many indices 0 ≤ i < ω for all accep-tance conditions f ∈ F . Similarly, if IA,f (w) < ω holds for an acceptancecondition f ∈ F , then there exists an index 0 ≤ i < ω such that no statein L(vj) is an f -state for all i ≤ j < ω (Lemma 4.3.6), and thus (becausethe transition starting from the node vj is formed from transitions of A whosesource states are in L(vj)) G is fin-acceptance synchronized with respect tothe condition f . Otherwise IA,f(w) = ω holds, in which case the induc-tive construction of L guarantees that L

(〈vi, Vi+1〉

)is not an f -transition for

infinitely many 0 ≤ i < ω, and G is fin-acceptance synchronized with re-spect to f also in this case. Because the same result holds for all acceptanceconditions, it follows that G is fin-acceptance synchronized, and thereforefin-accepting (Proposition 4.3.1). We conclude that w ∈ Lfin(Aι) holds. �

Proposition 4.5.2 now follows from Lemma 4.5.4 and Lemma 4.5.5.

The Subautomaton AqI

Proposition 4.5.2 shows that the state set of the nondeterministic automatonobtained using the universal subset construction from an alternating automa-ton A built from an LTL formula ϕ ∈ LTLPNF(AP) using the translationrules of Sect. 3.1 can be reduced by, in effect, merging states that have iden-tical images under a function ι satisfying certain constraints; the function SIdefined in Sect. 4.5.1 provides a concrete example of such a function.

In practice, however, we are usually not interested in the full automatonA, but instead the subautomaton AqI rooted at its initial state, and a non-deterministic automaton obtained from AqI . As observed in Sect. 3.2.1, thestate set QqI of AqI consists of those states of A that correspond to (i) theformula ϕ itself, (ii) a binary pure temporal subformula of ϕ, or (iii) a sub-formula ψ ∈ NSub(ϕ) such that Xψ ∈ NSub(ϕ) holds. Consequently, allstates reachable from the initial state {qI} of the nondeterministic automatonobtained from A using the universal subset construction of Theorem 4.3.2correspond to conjunctions of these formulas. However, this correspondenceis not preserved in the nondeterminization construction of Proposition 4.5.2when using the function SI to identify equivalent states of the nondetermin-istic automaton: in the general case, there may exist subsets Q′ ⊆ QqI forwhich SI(Q′) ⊆ QqI does not hold. For example, the subautomaton rootedat the initial state of the nondeterministic automaton built for the formula(p1 Rs p2) by applying Theorem 4.3.2 consists of a single state that corre-sponds to the set of binary pure temporal formulas

{(p1 Rs p2)

}, but the ini-

tial state of the automaton built using the construction of Proposition 4.5.2corresponds to the set of formulas SI

({(p1 Rs p2)

})=

{(p1 Rs p2), p2,>

},

which contains also Boolean formulas. In more complex cases, it is noteven apparent (without further analysis of the function SI) from the nonde-terminization construction of Proposition 4.5.2 why the construction couldnot in fact yield a nondeterministic automaton having more states reachablefrom its initial state than the automaton built using the standard universalsubset construction. Thus it is not obvious whether the upper bounds givenin Corollary 4.3.9 still hold for nondeterministic automata built using theconstruction of Proposition 4.5.2.

The above technical difficulty can be avoided via a simple change to the


function SI to make it closed with respect to the set 2QqI by simply project-

ing the image SI(Q′) of any subset Q′ ⊆ QqI back to a subset of QqI . Thatis, we may refine the function SI used in the nondeterminization construc-

tion into a function SI ′ : 2Q → 2Q by defining SI ′(Q′)def= SI(Q′) ∩ QqI

for all Q′ ⊆ QqI (and SI ′(Q′)def= SI(Q′) for all 2Q \ 2Q

qI ); it is straight-forward to check that the function SI ′ still has the properties required of afunction usable in the construction for every subset Q′ ⊆ Q. The states inthe subautomaton rooted at the initial state of the nondeterministic automa-ton built by using the function SI ′ for nondeterminization can thus be seento be elements of the set

{SI ′(Q′) Q′ ⊆ QqI

}⊆ 2Q

qI . The size of this setdoes not exceed the upper bound given in Corollary 4.3.9: as in the proofof Corollary 4.2.2 (p. 79), we can consider the initial state of AqI to be anelement separate from QqI if the formula ϕ is not a binary pure temporalformula. As a further possible advantage of using the function SI ′ instead ofthe function SI in the construction, the fact that the values of SI ′ are sub-sets of the corresponding values of SI may speed up the construction if thetransitions of the nondeterministic automaton are to be built explicitly: thenumber of possible combinations of transitions starting from a state in thenondeterministic automaton is in the worst case exponential in the numberof state components (i.e., the size of the state when seen as a subset of Q).

4.6 THE SUBCLASS LTLCND

We end this chapter by investigating a syntactic subclass of LTL for whichtranslation into self-loop alternating automata can be combined with a sim-ple completion lemma to obtain a direct translation procedure from this sub-class of LTL into nondeterministic automata. Essentially the same subclassof LTL has previously been considered by Schneider [1999] in the context ofsymbolic translation algorithms from LTL into automata. A closely relatedapproach was also taken by Maidl [2000a], who investigated translation ofanother syntactic subclass of LTL into one-weak nondeterministic automata.Although these two subclasses of LTL have different syntactic definitions anduse different translation rules, we shall show that the LTL subclass used byMaidl actually coincides with an explicit version of the subclass of Schnei-der. This version can be extracted from the translation procedure presentedin Sect. 3.1 by studying the closure properties of the rules. Because any for-mula from this subclass can be translated into a self-loop nondeterministicautomaton with a set of states whose size is linear in the number of puretemporal subformulas in the formula, each satisfiable formula in the subclasshas a model that can be represented in polynomial space in the length of theformula. It follows that the decision problem of testing the satisfiability offormulas in the subclass is NP-complete.

4.6.1 Completion to Nondeterministic Automata

By definition, a nondeterministic automaton is an alternating automaton,all transitions of which have exactly one target state. Obviously, alternatingautomata having no transitions with two or more target states “almost” satisfy


this condition with the possible exception of transitions whose target state setis empty. It is straightforward to make these automata nondeterministic byredirecting all such transitions to an additional “sink” state, the subautomatonrooted at which always accepts its input.4

Lemma 4.6.1 Let A = 〈Σ, Q,∆, qI ,F〉 be an alternating automaton suchthat |Q′| ≤ 1 holds for all transitions 〈q,Γ, F,Q′〉 ∈ ∆. Let q be a new statenot included in Q. The automaton A′ =

⟨Σ, Q ∪ {q},∆′, qI ,F

⟩, where

∆′ def=

{〈q,Γ, F,Q′〉 ∈ ∆ Q′ 6= ∅

}∪

{〈q,Γ, F, {q}〉〈q,Γ, F, ∅〉 ∈ ∆

}∪{

〈q,Σ, ∅, {q}〉}

, is a nondeterministic automaton with Lfin(A) = Lfin(A′),

and A′ is a self-loop automaton iff A is.

Proof: Because |Q′| ≤ 1 holds for all 〈q,Γ, F,Q′〉 ∈ ∆, it is easy to see fromthe definition of A′ that every transition of A′ has exactly one target state,and thus A′ is nondeterministic. Because the definition obviously preservesall cycles of A and adds only a self-loop to the automaton, A′ is a self-loopnondeterministic automaton if A is a self-loop alternating automaton andvice versa. We check that A and A′ fin-accept the same language.

(Lfin(A) ⊆ Lfin(A′)) Letw ∈ Σω be a word fin-accepted by the automaton

A, and let G = 〈V,E, L〉 be a fin-accepting run of A on w. Define the

graph G′ = 〈V ′, E ′, L′〉, where V ′ def= V , E ′ def

={〈v, V ′〉 ∈ E V ′ 6= ∅

}, and

L′(x)def= L(x) for all x ∈ V ′ ∪ E ′. Because G is a run and V ′ ⊆ V and

E ′ ⊆ E, V ′0 is a singleton, and V ′ is obviously partitioned into disjoint finite

levels such that E ′ contains edges only between successive levels of G′. Forthe same reason, each node of V ′ has at most one outgoing edge, and eachnode v′ ∈ V ′

i (1 ≤ i < ω) is a successor of another node inG′ (it is a successorof another node in G, and E ′ includes all edges in E with a nonempty setof target nodes). Furthermore, the labeling of v0 and each edge in E ′ isconsistent. Finally, because all infinite branches in G′ are obviously infinitebranches of the fin-accepting run G, the branches satisfy the fin-acceptancecondition, and it follows that G′ is a fin-accepting semi-run of A′ on w.

Let v ∈ V ′i be a node with no outgoing edges for some 0 ≤ i < ω.

In G, this node has the unique outgoing edge e ∈ E with an empty set oftarget nodes such that L(e) =

⟨L(v),Γ, F, ∅

⟩∈ ∆ holds for some Γ ⊆ Σ

and F ⊆ F , and w(i) ∈ Γ. By the definition of A′, (A′)L′(v) = (A′)L(v)

now has an initial transition⟨L′(v),Γ, F, {q}

⟩∈ ∆′. Furthermore, be-

cause Lfin

((A′)q

)= Σω obviously holds, it follows that (A′)q fin-accepts

wi+1, and therefore (A′)L′(v) fin-accepts wi by Proposition 2.3.15. Since this

same result holds for all nodes of V ′ with no outgoing edges, we can applyProposition 2.3.14 to extend the semi-run G′ into a fin-accepting run of A′

on w, and thus w ∈ Lfin(A′) holds.

(Lfin(A′) ⊆ Lfin(A)) Let G′ = 〈V ′, E ′, L′〉 be a fin-accepting run of A′

on some w ∈ Σω. In this case we can define a fin-accepting semi-run G =〈V,E, L〉 of A on w as follows:

4Alternatively, we could simply relax the definition of nondeterministic automata to per-mit transitions with no target states. We nevertheless use the more traditional definitionof nondeterministic automata, which also saves us from the possible need to consider suchtransitions a special case when working with nondeterministic automata.


• Vdef=

{v ∈ V ′ L′(v) 6= q

};

• Edef=

{e ∈ E ′ L′(e) = 〈q,Γ, F,Q′〉 ∈ ∆′, q /∈ {q} ∪Q′

}; and

• L(x)def= L′(x) for all x ∈ V ∪ E.

As above, because V ⊆ V ′ and E ⊆ E ′, V can be partitioned into finitedisjoint levels such that V0 is a singleton (because q /∈ L′(V0) = {qI} holds),the edges of G lie between successive levels of V , and since E ⊆ E ′, eachnode of v has at most one outgoing edge, and the labeling L is consistent forall x ∈ V ∪E.

If there exists a node v′ ∈ V \ V0 that is not a successor of another nodein V , then, because G′ is a run, there exists a node v ∈ V ′ and an edgee′ = 〈v, V ′′〉 ∈ E ′ that includes v′ in its target nodes. Because e′ /∈ E,however, it follows that the transition L′(e′) ∈ ∆′ has q either as its sourcestate or as one of its target states. By the definition of ∆′, q is actually the onlytarget state of L′(e′), and thus all nodes of V ′′ are labeled with q in G′. Inparticular, L′(v′) = q holds. This contradicts the fact that v′ ∈ V , however.Therefore v′ is necessarily a successor of another node in V .

Because the infinite branches of G form a subset of the infinite branchesof G′ (all of which satisfy the fin-acceptance condition), it follows that G is afin-accepting semi-run of A on w.

If v ∈ Vi is a node in G with no outgoing edges for some 0 ≤ i < ω, thenL(v) = L′(v) 6= q, and there exists an edge e ∈ E ′ labeled with a transition⟨L′(v),Γ, F, {q}

⟩∈ ∆′ for some Γ ⊆ Σ and F ⊆ F such that w(i) ∈ Γ

holds. Because L′(v) = L(v) holds, it follows from the definition of A′ that⟨L(v),Γ, F, ∅

⟩∈ ∆ is an initial transition of AL(v). Because the target state

set of this transition is empty, Proposition 2.3.15 applies trivially, and thusAL(v) fin-accepts wi. Because v is arbitrary, it follows by Proposition 2.3.14that G can be extended into a fin-accepting run of A on w, and thereforew ∈ Lfin(A) holds. �

4.6.2 Closure Properties of Translation Rules

Lemma 4.6.1 makes it possible to complete any alternating automaton hav-ing no transitions with two or more target states into a nondeterministic au-tomaton that fin-recognizes its language. Our goal is to identify a class ofLTL formulas which admit translation into alternating automata that can bemade nondeterministic simply by applying this lemma. A natural approachis to consider the closure properties of the translation rules (cf. [Schneider1999]), i.e., the conditions under which an automaton built using a trans-lation rule can be made nondeterministic using Lemma 4.6.1 provided thatthe automata to which the rule was applied had this property.

Clearly, an alternating automaton built from an atomic formula has atmost one transition, and this transition has no target states. Hence, this au-tomaton can be completed into a nondeterministic automaton by applyingLemma 4.6.1. The other translation rules have the following simple closureproperties.


Lemma 4.6.2 Let A1 and A2 be two self-loop alternating automata havingno transitions with two or more distinct target states, and let A3 be a single-state alternating automaton, all transitions of which have an empty set oftarget states. All automata built from

(a) A1 with the translation rule for the X operator,

(b) A1 and A2 (or A2 and A1) with the translation rule for the ∨ operator,

(c) A1 and A3 (or A3 and A1) with the translation rule for the ∧ operator,

(d) A3 and A1 with one of the U translation rules (using the initial transi-tions of A3 to define the initial self-loops of the compound automaton)

(e) A1 and A3 with one of the R translation rules (using the initial transi-tions of A3 to define the initial self-loops of the compound automaton)

are self-loop alternating automata with no transitions having two or moredistinct target states.

Proof: It is clear by the discussion in Sect. 3.1.1 that an automaton built byapplying a translation rule to self-loop alternating automata is itself a self-loop alternating automaton. We verify the claim that this automaton has notransitions with two or more distinct target states.

(a) Applying the X translation rule to the automatonA1 adds one transition

to this automaton. Because the only target state of this transition is the initialstate of A1, the result follows from the assumption that all transitions of A1

have at most one target state.

(b) The translation rule for the ∨ operator creates transitions, each of

which shares its target states with some initial transition of A1 or A2. Theresult now holds again by the assumption that A1 and A2 have no transitionswith two or more distinct target states.

(c) By the assumption, the target state set of each transition of A3 is empty.

Thus, because all transitions of A1 have at most one target state, the union ofthe target state sets of any pair of transitions of A1 and A3 is a set containing atmost one state. The result now follows from the properties of A1 and A3 andthe fact that the target state sets of all transitions created by the ∧ translationrule are formed in this way.

(d) Each transition created by one of the translation rules for the U con-

nectives either shares its target states with some initial transition of A1, or itstarget states are formed by adding the initial state of the constructed automa-ton to the (empty) target state set of some initial transition of A3. Becauseno transition of A1 has two or more distinct target states, there are no suchtransitions in the compound automaton, either.

(e) The translation rules for the R connectives form the target states of each

new transition either by augmenting the (empty) target state set of one of theinitial transitions of A3 with the initial state of the constructed automaton,or by collecting the target states of a pair of A1’s and A3’s initial transitions.It is easy to see from the properties of A1 and A3 that no transition of thecompound automaton will have two or more target states. �


4.6.3 Definition of the Subclass

Lemma 4.6.2 helps to isolate a simple syntactic fragment of LTL that can betranslated into self-loop alternating automata having no transitions with twoor more target states. Formally, for a countable set AP of atomic proposi-tions, we define the set LTLCND(AP) (“subset of LTL for which the transla-tion rules are closed under translation into nondeterministic automata”) asthe smallest set of formulas that is closed under the finite application of thesyntactic rule

If θ ∈ PL(AP) and ϕ1, ϕ2 ∈ LTLCND(AP), thenθ, Xϕ1, (ϕ1 ∨ ϕ2), (ϕ1 ∧ θ), (θ ∧ ϕ1), (θUϕ1), (ϕ1 R θ) ∈ LTLCND(AP)

(where U and R can be either weak or strong binary temporal connectives).It is easy to see that [ϕ]PNF ∈ LTLCND(AP) holds for all formulas ϕ ∈

LTLCND(AP), because the syntactic definition allows negation to occur onlyin propositional subformulas of ϕ (and the positive normal form of sucha subformula is also a propositional formula). Obviously, |Temp(ϕ)| =Temp

([ϕ]PNF

)then holds also.

Proposition 4.6.3 Let ϕ ∈ LTLCND(AP). The self-loop alternating automa-ton built from [ϕ]PNF using the translation rules presented in Sect. 3.1 hasno transitions with two or more distinct target states.

Proof: Because ϕ ≡ [ϕ]PNF and [ϕ]PNF ∈ LTLCND(AP) hold, we may, with-out loss of generality, assume that ϕ itself is in positive normal form. It is clearfrom the basic translation rules that the result holds if ϕ is an atomic formula.Assume that the result holds for all formulas in LTLCND(AP) of length lessthan or equal to some 1 ≤ k < ω, and assume that ϕ is a non-atomic formulaof length k + 1. Due to the minimality of LTLCND(AP), ϕ is a compoundformula of one of the forms presented in the definition of the subclass, andtherefore ϕ has one or two top-level subformulas in LTLCND(AP) of lengthat most k. By the induction hypothesis, these subformulas can be translatedinto self-loop alternating automata with no transitions having two or more tar-get states. The result now follows by induction, where the induction step canbe proved for each different kind of compound formula using Lemma 4.6.2.

For example, if ϕ is of the form (θUϕ1) for some θ ∈ PL(AP) andϕ1 ∈ LTLCND(AP), then there exist self-loop alternating automata havingthe desired property for the formulas θ and ϕ1 by the induction hypothesis.More precisely, because θ is a propositional formula, θ has a correspondingself-loop alternating automaton, all transitions of which have an empty setof target states. By Lemma 4.6.2 (d), it now follows that the compound au-tomaton built from these automata using one of the translation rules for theU connectives has no transitions with two or more target states. �

By combining Proposition 4.6.3 and Theorem 3.3.2 with Lemma 4.6.1,we obtain an effective procedure for translating formulas from LTLCND(AP)directly into nondeterministic automata. It follows that the number of statesin an automaton that recognizes the language of a formula in the subclassLTLCND(AP) depends linearly on the number of syntactically distinct puretemporal subformulas in the formula.


Corollary 4.6.4 Let ϕ ∈ LTLCND(AP) be an LTL formula. The languageL(ϕ) can be fin-recognized by a self-loop nondeterministic automaton withat most 2 + |Temp(ϕ)| states.

Proof: Let A be a self-loop alternating automaton built from [ϕ]PNF usingthe basic translation rules, let qI be the initial state of the automaton, andlet QqI be the state set of the subautomaton AqI . By Proposition 4.6.3, Ahas no transitions with two or more target states, and AqI has this same prop-erty. If A is not nondeterministic, then A can be completed to an equiv-alent nondeterministic automaton by applying Lemma 4.6.1. This modifi-cation adds a new state to the automaton. The result then follows because|QqI | ≤ 1+ Temp

([ϕ]PNF

)= 1+|Temp(ϕ)| (Corollary 3.2.2) and because

A and AqI fin-accept the same language (Proposition 2.3.12). �

4.6.4 Relationships between Syntactic Subclasses of LTL

As a closely related approach, Maidl [2000a] defined a subclass of LTL calledLTLdet that consists of formulas whose negation can be translated into self-loop nondeterministic automata. (The class LTLdet itself corresponds to theset of LTL formulas, for each of which there exists a formula in the branchingtime logic ∀CTL such that the model checking problems for these formulasin any structure have the same solution [Maidl 2000a].) We denote the classof negations of formulas in LTLdet (over a given set AP of atomic proposi-

tions) by LTLdet(AP); this subclass of LTL can be defined directly as thesmallest subset of LTL(AP) that is closed under the finite application of thesyntactic rule

If θ ∈ PL(AP) and ϕ1, ϕ2 ∈ LTLdet(AP), thenθ, Xϕ1, (ϕ1 ∨ ϕ2),

((θ ∨ ϕ1) ∧ (¬θ ∨ ϕ2)

), and(

(θ ∨ ϕ1) R (¬θ ∨ ϕ2))∈ LTLdet(AP)

(where R can be either of the Release connectives).The relationship between the expressive power of the syntactic subclasses

LTLCND(AP) and LTLdet(AP) is not immediately obvious from the syn-

tactic definitions of the subclasses. For example, the subclass LTLdet(AP)includes binary pure temporal formulas, both top-level subformulas of whichare temporal formulas. As we shall show below, the subclasses in fact describethe same LTL properties equally succinctly in the number of syntacticallydistinct pure temporal subformulas. We first define sets of recursive rules

for rewriting formulas in LTLCND(AP) and LTLdet(AP). We then show

that the rules define mappings between LTLCND(AP) and LTLdet(AP) thatpreserve the logical equivalence of formulas (Proposition 4.6.6). Finally, weshow that the mappings do not increase the number of syntactically distinctpure temporal subformulas (Proposition 4.6.9).

Translations between LTLCND(AP) and LTLdet(AP)

Let ϕ ∈ LTLCND(AP). We associate with ϕ the formula [ϕ]det obtainedfrom ϕ by applying the following recursive rewrite rules (where ϕ1, ϕ2 ∈


LTLCND(AP) and θ ∈ PL(AP)):

[ϕ]det def= ϕ if ϕ ∈ PL(AP), and for formulas not in PL(AP),

[Xϕ1]det def

= X[ϕ1]det

[(ϕ1 ∨ ϕ2)

]det def=

([ϕ1]

det ∨ [ϕ2]det

)[(ϕ1 ∧ θ)

]det def=

((θ ∨ ⊥) ∧ (¬θ ∨ [ϕ1]

det))

[(θ ∧ ϕ1)

]det def=

((θ ∨ ⊥) ∧ (¬θ ∨ [ϕ1]

det))

[(θUϕ1)

]det def=

((¬θ ∨ [ϕ1]

det) R (¬(¬θ) ∨ [ϕ1]det)

)[(ϕ1 R θ)

]det def=

((¬θ ∨ [ϕ1]

det) R (¬(¬θ) ∨⊥))

Conversely, we also associate with each formula ϕ ∈ LTLdet(AP) the for-mula [ϕ]CND defined recursively as follows:

[ϕ]CND def= ϕ if ϕ ∈ PL(AP); and otherwise

[Xϕ1]CND def

= X[ϕ1]CND

[(ϕ1 ∨ ϕ2)

]CND def=

([ϕ1]

CND ∨ [ϕ2]CND

)[(

(θ ∨ ϕ1) ∧ (¬θ ∨ ϕ2))]CND def

=((¬θ ∧ [ϕ1]

CND) ∨ (θ ∧ [ϕ2]CND)

)[(

(θ ∨ ϕ1) R (¬θ ∨ ϕ2))]CND def

=(¬θ U ((¬θ ∧ [ϕ1]

CND) ∨ (θ ∧ [ϕ2]CND))

)

(In rules involving binary temporal connectives, the binary temporal connec-tives always have the same strength on both sides of the definition.)

Expressive Equivalence of LTLCND(AP) and LTLdet(AP)

To show that the above rewrite rules define mappings between the subclasses

LTLCND(AP) and LTLdet(AP) such that the mappings preserve the logicalequivalence of formulas, we first list the following simple LTL identities forreference.

Lemma 4.6.5 The following identities hold for all LTL formulas ϕ1, ϕ2 ∈LTL(AP) (where the temporal connectives in an identity are of the samestrength on both sides of the identity):

(a) (ϕ1 Uϕ2) ≡((ϕ1 ∨ ϕ2) Uϕ2);

(b) (ϕ1 Uϕ2) ≡((¬ϕ1 ∨ ϕ2) R (ϕ1 ∨ ϕ2)

);

(c) (ϕ1 Rϕ2) ≡((¬ϕ2 ∨ ϕ1) Rϕ2

).

Proof: Let w ∈ (2AP)ω. We check that the identities hold by the semanticsof LTL.

(a) w |= (ϕ1 Uϕ2)

iff there exists an index 0 ≤ i < ω such that wi |= ϕ2 holds, and wj |= ϕ1

holds for all 0 ≤ j < i (or if U = Uw, and wi |= ϕ1 holds for all0 ≤ i < ω) (semantics of U)

iff there exists a least index 0 ≤ i < ω such that wi |= ϕ2 holds, andwj |= ϕ1 holds for all 0 ≤ j < i (or if U = Uw, and wi |= ϕ2 does nothold for any, but wi |= ϕ1 holds for all 0 ≤ i < ω)


iff there exists a least index 0 ≤ i < ω such that wi |= ϕ2 holds, andwj |= (ϕ1 ∨ ϕ2) holds for all 0 ≤ j < i (or if U = Uw, and wi |= ϕ2

does not hold for any, but wi |= (ϕ1 ∨ ϕ2) holds for all 0 ≤ i < ω)

iff there exists an index 0 ≤ i < ω such that wi |= ϕ2 holds, and wj |=(ϕ1 ∨ ϕ2) holds for all 0 ≤ j < i (or if U = Uw, and wi |= (ϕ1 ∨ ϕ2)holds for all 0 ≤ i < ω)

iff w |=((ϕ1 ∨ ϕ2) Uϕ2

). (semantics of U)

(b) w |= (ϕ1 Uϕ2)

iff w |=((ϕ1 ∨ ϕ2) Uϕ2

)(by (a))

iff w |=((ϕ1 ∨ ϕ2) U (⊥∨ ϕ2)

)(ϕ2 ≡ (⊥ ∨ ϕ2))

iff w |=((ϕ1 ∨ ϕ2) U ((ϕ1 ∧ ¬ϕ1) ∨ ϕ2)

)(⊥ ≡ (ϕ1 ∧ ¬ϕ1))

iff w |=((ϕ1 ∨ ϕ2) U ((ϕ1 ∨ ϕ2) ∧ (¬ϕ1 ∨ ϕ2))

)

(((ϕ1 ∧ ¬ϕ1) ∨ ϕ2

)≡

((ϕ1 ∨ ϕ2) ∧ (¬ϕ1 ∨ ϕ2)

))

iff w |=((¬ϕ1 ∨ ϕ2) R (ϕ1 ∨ ϕ2)

). (definition of R in terms of U)

(c) w |= (ϕ1 Rϕ2)

iff w |=(ϕ2 U (ϕ1 ∧ ϕ2)

)(definition of R in terms of U)

iff w |=(ϕ2 U ((¬ϕ2 ∨ ϕ1) ∧ ϕ2)

)((ϕ1 ∧ ϕ2) ≡

((¬ϕ2 ∨ ϕ1) ∧ ϕ2

))

iff w |=((¬ϕ2 ∨ ϕ1) Rϕ2

). (definition of R in terms of U)

�

It is now straightforward to show that [ · ]det is a mapping from the sub-

class LTLCND(AP) to LTLdet(AP) that preserves the logical equivalence offormulas (and conversely for [ · ]CND in the opposite direction).

Proposition 4.6.6 Let C be one of the syntactic subclasses LTLCND(AP) or

LTLdet(AP), let C′ be the opposite subclass, let ϕ ∈ C, and let [ϕ] be theformula obtained from ϕ via the translation defined above for formulas inthe subclass C. The formulas ϕ and [ϕ] are logically equivalent, and [ϕ] ∈ C′

holds.

Proof: The result obviously holds if ϕ is a propositional formula, because

PL(AP ) ⊆ LTLCND(AP) ∩ LTLdet(AP). In particular, the result holds if|ϕ| = 1.

Assume that ϕ ≡ [ϕ] ∈ C′ holds for all formulas ϕ ∈ C of length at most1 ≤ k < ω, and let ϕ ∈ C be a temporal formula of length k+ 1. If ϕ = Xϕ1

or ϕ = (ϕ1 ∨ ϕ2) holds for some ϕ1, ϕ2 ∈ C (|ϕ1| ≤ k, |ϕ2| ≤ k), theneither [ϕ] = X[ϕ1] or [ϕ] =

([ϕ1] ∨ [ϕ2]

), and the result follows easily by

the semantics of LTL and the syntactic closure properties of the subclass C′

since [ϕ1] ≡ ϕ1 ∈ C′ and [ϕ2] ≡ ϕ2 ∈ C′ hold by the induction hypothesis.We check the other possible cases in each direction. Below, ϕ1 and ϕ2 areformulas in the subclass C, and θ is a propositional formula.

(C = LTLCND(AP), C′ = LTLdet(AP)) If ϕ = (ϕ1 ∧ θ) or ϕ = (θ ∧ ϕ1)

holds, then it is easy to check from the semantics of LTL that ϕ ≡ (θ∧ϕ1) ≡(θ ∧ (¬θ ∨ ϕ1)

)≡

((θ ∨⊥) ∧ (¬θ ∨ ϕ1)

)holds.


If ϕ = (θUϕ1), then ϕ = (θUϕ1) ≡((¬θ ∨ ϕ1) R (θ ∨ ϕ1)

)≡

((¬θ ∨

ϕ1) R (¬(¬θ) ∨ ϕ1))

holds by Lemma 4.6.5 (b) and the semantics of LTL.Finally, if ϕ = (ϕ1 R θ), then ϕ = (ϕ1 R θ) ≡

((¬θ ∨ ϕ1) R θ

)≡

((¬θ ∨

ϕ1) R (θ∨⊥))≡

((¬θ∨ϕ1) R (¬(¬θ)∨⊥)

)holds by Lemma 4.6.5 (c) (used

in the first logical equivalence) and the semantics of LTL.In each case, we obtain the formula [ϕ] from the last formula in the chain

of logical equivalences by substituting [ϕ1] for the subformula ϕ1. Because

ϕ1 ≡ [ϕ1] ∈ C′ = LTLdet(AP) holds by the induction hypothesis, it is easy

to see that ϕ ≡ [ϕ] ∈ LTLdet(AP) holds by the semantics of LTL and the

syntactic closure properties of LTLdet(AP). The result holds by inductionon |ϕ| for all temporal formulas ϕ ∈ LTLCND(AP).

(C = LTLdet(AP), C′ = LTLCND(AP)) If ϕ =((θ∨ϕ1)∧(¬θ∨ϕ2)

), then

it is easy to check from the semantics of LTL that ϕ ≡((¬θ∧ϕ1)∨ (θ∧ϕ2)

)

holds. Similarly, if ϕ =((θ ∨ ϕ1) R (¬θ ∨ ϕ2)

), then ϕ ≡

(¬θ U ((¬θ ∧

ϕ1) ∨ (θ ∧ ϕ2)))

holds (see [Maidl 2000b] for a proof). We again obtain[ϕ] by replacing the formulas ϕ1 and ϕ2 with [ϕ1] and [ϕ2] (respectively)in the right-hand side formulas in the identities, and the result follows bythe semantics of LTL and the syntactic closure properties of LTLCND(AP)because ϕ1 ≡ [ϕ1] ∈ C′ and ϕ2 ≡ [ϕ2] ∈ C′ = LTLCND(AP) hold bythe induction hypothesis. We conclude that the result holds for all temporal

formulas ϕ ∈ LTLdet(AP) by induction on |ϕ|. �

Preservation of the Number of Pure Temporal Subformulas

To show that the mappings [ · ]det and [ · ]CND do not increase the numberof syntactically distinct pure temporal subformulas, we need the followingadditional definition. We say that a formula ϕ ∈ LTLCND(AP) is in CND-normal form iff ϕ does not contain subformulas of the form (ϕ1 ∧ θ) or(⊥R θ) (where ϕ1 ∈ LTLCND(AP) \ PL(AP), θ ∈ PL(AP), and R ∈{Rs,Rw}). Obviously, every formula in LTLCND(AP) can be rewritten inCND-normal form due to the identities (ϕ1 ∧ θ) ≡ (θ ∧ ϕ1) and (⊥R θ) ≡(θU (⊥ ∧ θ)

)≡ (θU⊥) that hold for all ϕ1 ∈ LTL(AP) and θ ∈ PL(AP)

(where the R and U connectives are of the same strength in each formulain the second chain of identities). Furthermore, it is easy to see that theCND-normal form of ϕ has at most as many pure temporal subformulas as ϕitself.

We first make note of the fact that the translation from LTLCND(AP) to

LTLdet(AP) maps every pure temporal subformula of ϕ to a pure temporalsubformula of [ϕ]det, and the same holds for the other direction.

Lemma 4.6.7 Let C be one of the subclasses LTLCND(AP) or LTLdet(AP),let C′ be the opposite subclass, let ϕ ∈ C, and let [ϕ] be the formula ob-tained from ϕ via the translation from C to C′. For all ψ ∈ Temp(ϕ),[ψ] ∈ Temp

([ϕ]

)holds.

Proof: The result holds trivially if ϕ ∈ PL(AP) holds, since ϕ has no puretemporal subformulas in this case. For temporal formulas, the result followsby a straightforward induction on |ϕ| by observing that for all formulas ψ ∈ C,ψ is a pure temporal formula only if [ψ] is a pure temporal formula. We omitthe details of the proof. �


On the other hand, any two syntactically distinct formulas in CND-normal

form in LTLCND(AP), or two syntactically distinct formulas in LTLdet(AP),always translate to syntactically distinct formulas in the opposite subclass.

Lemma 4.6.8 Let C be one of the subclasses LTLCND(AP) or LTLdet(AP),let C′ be the opposite subclass, let ϕ, ψ ∈ C (and let ϕ, ψ be in CND-normalform if C = LTLCND(AP)), and let [ϕ] and [ψ] be the formulas obtainedfrom ϕ and ψ, respectively, via the translation from C to C′. If ϕ 6= ψ, then[ϕ]det 6= [ψ]det.

Proof: Suppose that ϕ 6= ψ holds. We show that [ϕ] and [ψ] are syntacti-cally distinct by induction on the maximum length of ϕ and ψ. The resultis obvious if ϕ, ψ ∈ PL(AP) holds, since [ϕ] = ϕ 6= ψ = [ψ] holds inthis case. In particular, [ϕ] 6= [ψ] holds if max

{|ϕ|, |ψ|

}= 1. The result

follows immediately also if only one of ϕ and ψ is a temporal formula: forexample, if Temp(ϕ) 6= ∅ but Temp(ψ) = ∅, then Temp

([ϕ]

)6= ∅ holds

by Lemma 4.6.7, but Temp([ψ]

)= Temp(ψ) = ∅. Obviously, two formulas

cannot be syntactically identical if only one of them contains a pure temporalsubformula.

Assume that the result holds whenever max{|ϕ|, |ψ|

}≤ k holds for some

1 ≤ k < ω, and let ϕ, ψ ∈ C be temporal formulas with max{|ϕ|, |ψ|

}=

k + 1.

(C = LTLCND(AP), C′ = LTLdet(AP)) Obviously, two compound LTLformulas are syntactically identical only if they have the same main con-nective. It is easy to check directly from the rewrite rules that [ϕ]det 6=

[ψ]det holds if ϕ and ψ have different main connectives from one of the sets{X,∨,∧,Us,Uw}, {X,∨,∧,Rs,Rw}, {Us,Rw} or {Uw,Rs}, because the trans-

lation from LTLCND(AP) to LTLdet(AP) either preserves the main connec-tive of every formula (or the strength of the formula’s main connective if it isUs or Uw). In the remaining case, ϕ = (θUϕ1) and ψ = (ψ1 R θ′) hold forsome θ, θ′ ∈ PL(AP) and ϕ1, ψ1 ∈ LTLCND(AP) (and U and R have thesame strength).

Suppose that [ϕ]det = [ψ]det holds. From the recursive definition, wesee that [ϕ]det =

((¬θ ∨ [ϕ1]

det) R (¬(¬θ) ∨ [ϕ1]det)

)and [ψ]det =

((¬θ′ ∨

[ψ1]det) R (¬(¬θ′) ∨ ⊥)

), and it follows that θ = θ′, [ϕ1]

det = [ψ1]det and

[ϕ1]det = ⊥ must hold in this case. But then also [ψ1]

det = ⊥ and ψ1 = ⊥hold, and thus we may write ψ = (ψ1 R θ′) = (⊥R θ′). This is, however, acontradiction, because ψ is in CND-normal form. Therefore at least one ofθ 6= θ′, [ϕ1]

det 6= [ψ1]det or [ϕ1]

det 6= ⊥ holds, and thus [ϕ]det 6= [ψ]det.If ϕ and ψ have the same main connective, then the result follows easily

from the induction hypothesis (in case ∧, use the fact that both ϕ and ψ arein CND-normal form). We present the case Us as an example.

Let ϕ = (θUs ϕ1) and ψ = (θ′ Us ψ1) for some θ, θ′ ∈ PL(AP) andϕ1, ψ1 ∈ LTLCND(AP). Because ϕ 6= ψ holds, then either θ 6= θ′ or ϕ1 6= ψ1

holds. In the latter case, [ϕ1]det 6= [ψ1]

det holds by the induction hypothesisbecause max

{|ϕ1|, |ψ1|

}≤ k. In both cases, it is easy to see that [ϕ]det =(

(¬θ∨[ϕ1]det) Rs (¬(¬θ)∨[ϕ1]

det))6=

((¬θ′∨[ψ1]

det) Rs (¬(¬θ′)∨[ψ1]det)

)=

[ψ]det, and the result follows.


The result holds by induction for all pairs of syntactically distinct temporalformulas in CND-normal form.

(C = LTLdet(AP), C′ = LTLCND(AP)) It is again easy to check from the

rewrite rules that [ϕ]CND 6= [ψ]CND holds if ϕ and ψ have different mainconnectives from one of the sets {X,∨,Rs,Rw} or {X,∧,Rs,Rw}. Supposethat [ϕ]CND = [ψ]CND holds for ϕ = (ϕ1 ∨ ϕ2) and ψ =

((θ ∨ ψ1) ∧ (¬θ ∨

ψ2))

(ϕ1, ϕ2, ψ1, ψ2 ∈ LTLdet(AP) and θ ∈ PL(AP)). Then([ϕ1]

CND ∨[ϕ2]

CND)

=((¬θ∧[ψ1]

CND)∨(θ∧[ψ2]CND)

)holds, and thus [ϕ1]

CND =(¬θ∧

[ψ1]CND

)and [ϕ2]

CND =(θ∧ [ψ2]

CND)

must hold in this case. Because none

of the recursive rules for translating a temporal formula from LTLdet(AP) toLTLCND(AP) creates a formula having the operator ∧ as its main connective,however, [ϕ1]

CND and [ϕ2]CND are necessarily propositional formulas, and

thus also ϕ ∈ PL(AP). This contradicts the assumption that both ϕ andψ are temporal formulas. It follows that [ϕ]CND 6= [ψ]CND holds also in thiscase.

If ϕ1 and ϕ2 have the same main connective, then the result follows by theinduction hypothesis similarly to the other direction. Therefore, [ϕ]CND 6=[ψ]CND holds by induction for all pairs of syntactically distinct temporal for-

mulas ϕ, ψ ∈ LTLdet(AP). �

We can now show that translating formulas between LTLCND(AP) and

LTLdet(AP) incurs no blow-up in the number of pure temporal subformulas.

Proposition 4.6.9 Let C be one of the syntactic subclasses LTLCND(AP) or

LTLdet(AP), let C′ be the opposite subclass, let ϕ ∈ C, and let [ϕ] be theformula obtained from ϕ via the translation from C to C′. The formula [ϕ]has at most as many syntactically distinct pure temporal subformulas as ϕ.

Proof: If C = LTLCND(AP), we assume that ϕ is in CND-normal formfor the inductive proof. The result then follows easily for all formulas ϕ ∈LTLCND(AP), because the CND-normal form of ϕ has at most as many syn-tactically distinct pure temporal subformulas as ϕ.

If ϕ is a propositional formula, then [ϕ] = ϕ holds, and Temp([ϕ]

)=

|Temp(ϕ)| = 0 obviously holds in this case. In particular, the result holdsif |ϕ| = 1. Assume that Temp

([ϕ]

)≤ |Temp(ϕ)| holds for all formulas

ϕ ∈ C (in CND-normal form, if C = LTLCND(AP)) with |ϕ| ≤ k for some1 ≤ k < ω, and let ϕ ∈ C be a temporal formula of length k + 1.

(C = LTLCND(AP), C′ = LTLdet(AP)) It is easy to see from the rewrite

rules that Temp([ϕ]

)≤ |Temp(ϕ)| holds if ϕ is of the form Xϕ1, (θ ∧ ϕ1),

(θUϕ1) or (ϕ1 R θ) for some θ ∈ PL(AP) and ϕ1 ∈ LTLCND(AP), be-cause Temp

([ϕ1]

)≤ |Temp(ϕ1)| holds by the induction hypothesis (clearly

|ϕ1| ≤ k holds, and because ϕ is in CND-normal form, so is ϕ1).If ϕ = (ϕ1 ∨ ϕ2) (for formulas ϕ1, ϕ2 ∈ LTLCND(AP) in CND-normal

form), then [ϕ] =([ϕ1] ∨ [ϕ2]

). In this case

|Temp(ϕ)| = |Temp(ϕ1)| + |Temp(ϕ2)| − |Temp(ϕ1) ∩ Temp(ϕ2)|

and

Temp([ϕ]

)= Temp

([ϕ1]

)+ Temp

([ϕ2]

)

− Temp([ϕ1]

)∩ Temp

([ϕ2]

).


Because |ϕ1| ≤ k and |ϕ2| ≤ k hold, Temp([ϕ1]

)≤ |Temp(ϕ1)| and

Temp([ϕ2]

)≤ |Temp(ϕ2)| hold by the induction hypothesis. The re-

sult obviously follows if also Temp([ϕ1]

)∩ Temp

([ϕ2]

)≥ |Temp(ϕ1) ∩

Temp(ϕ2)| holds. We check that this is indeed the case.Clearly, if Temp(ϕ1) and Temp(ϕ2) share a pure temporal subformula

ψ ∈ Temp(ϕ1) ∩ Temp(ϕ2), then Temp([ϕ1]

)and Temp

([ϕ2]

)share the

pure temporal subformula [ψ] by Lemma 4.6.7. On the other hand, [ψ] 6=[ψ′] holds for all pairs of syntactically distinct pure temporal subformulasψ, ψ′ ∈ Temp(ϕ1) ∩ Temp(ϕ2) (ψ 6= ψ′) by Lemma 4.6.8. Therefore, thenumber of syntactically distinct pure temporal subformulas in Temp

([ϕ1]

)∩

Temp([ϕ2]

)cannot be smaller than their number in Temp(ϕ1)∩Temp(ϕ2).

The result holds by induction on the length of ϕ for all temporal formulasϕ ∈ LTLCND(AP) in CND-normal form.

(C = LTLdet(AP), C′ = LTLCND(AP)) The proof is analogous to theother direction. The result can be verified directly from the induction hy-

pothesis if ϕ = Xϕ1 holds for some ϕ1 ∈ LTLdet(AP), and in the other casesby using Lemma 4.6.7 and Lemma 4.6.8 to establish that Temp

([ϕ]

)≤

|Temp(ϕ)| holds. �

Because the syntactic subclasses LTLCND(AP ) and LTLdet(AP) are ex-pressively equivalent, it is possible to combine the definitions of the sub-classes to facilitate specifying LTL properties that can be translated directlyinto self-loop nondeterministic automata. For example, formulas built usingthe shorter syntactic closure rules of LTLCND(AP) may be easier to read than

the corresponding formulas of LTLdet(AP). On the other hand, the closure

rules of LTLdet(AP) can be used as templates for special translation rules[Maidl 2000a] for building automata from certain LTL formulas.

4.6.5 A Remark on Satisfiability

Because the satisfiability problem for full LTL is PSPACE-complete [Sistlaand Clarke 1982, 1985], some research effort has been directed at findingsubclasses of LTL for which this problem is of lower computational com-plexity. In particular, this research has resulted in the discovery of severalNP-complete subclasses of LTL, such as LTL with X or F as the only tem-poral operator [Sistla and Clarke 1982, 1985], LTL with both of these tem-poral operators but negation restricted only to atomic formulas [Sistla andClarke 1982, 1985], subclasses obtained by restricting the number of atomicpropositions or the nesting of temporal operators [Demri and Schnoebe-len 1998, 2002], and LTL with F and a set of X operators parameterizedby the underlying alphabet [Muscholl and Walukiewicz 2004, 2005]. (Ofcourse, NP-completeness amounts to lower computational complexity onlyif NP 6= PSPACE.)

In this section we show the satisfiability problem in LTLCND(AP) to beNP-complete. Actually, this result follows from the NP-completeness of sat-isfiability in the existential (∃CTL) fragment of the branching time temporallogic CTL [Kupferman and Vardi 1995, 2000]:5 due to the strict restrictions

5Thanks to Orna Kupferman for pointing out this connection.


concerning the closure of LTLCND(AP) under the ∧, U and R operators, re-placing each temporal operator of a formula in LTLCND(AP) with the corre-sponding existentially path-quantified CTL operator yields an ∃CTL formulawhich can be shown to have a nonbranching computation tree model (that isdirectly identifiable as a word model for the formula in LTLCND(AP)) iff it issatisfiable. We shall nevertheless present an NP-completeness proof for satis-fiability in the subclass LTLCND(AP) in detail using a more direct approachsince this proof will apply without changes—in contrast to the reduction to∃CTL satisfiability—also to an extension of the subclass LTLCND(AP) to beconsidered later in Sect. 5.6.3.

By Corollary 4.6.4, any formula ϕ ∈ LTLCND(AP) ⊆ LTL(AP) can betranslated into a self-loop nondeterministic automaton having at most 2 +|Temp(ϕ)| ≤ 1 + |ϕ| states. Recall from Sect. 3.2.3 that also the number ofacceptance conditions in the automaton is bounded by |Temp(ϕ)| ≤ |ϕ| inthis case (because |Temp(ϕ)| = Temp

([ϕ]PNF

)holds). These facts imply

the following upper bound on the encoding of models of LTL formulas inLTLCND(AP).

Proposition 4.6.10 Let ϕ ∈ LTL(AP) be an LTL formula whose models arefin-recognized by a self-loop nondeterministic automaton (working on thealphabet 2AP ) with at most 1+ |ϕ| states and |ϕ| acceptance conditions. Theformula ϕ is satisfiable iff there exist finite words u, v ∈ (2AP)∗, |u| ≤ |ϕ|,1 ≤ |v| ≤ |ϕ|, such that uvω |= ϕ holds.

Proof: (Only if) Assume that ϕ is satisfiable, i.e., L(ϕ) 6= ∅ holds. Let A =

〈2AP , Q,∆, qI ,F〉 be a nondeterministic automaton that fin-recognizes thelanguage L(ϕ) (with |Q| ≤ 1 + |ϕ| and F = {f0, f1, . . . , fn−1} for some0 ≤ n ≤ |ϕ|), and let w ∈ L(ϕ). By the assumption, A has a fin-acceptingrun G = 〈V,E, L〉 on w. Because A is nondeterministic, ∆ contains notransitions with an empty set of target states, and thus G contains an infinitebranch β ∈ B(G) (L is consistent).

Because A is a self-loop nondeterministic automaton, the branch β con-verges to a nontransient state q ∈ Q of A by Corollary 2.3.19. It is easy tosee that we can extract from β a chain of edges e0, e1, . . . , ek ∈ E (for some0 ≤ k < ω) such that the labels of the source nodes of these edges form a sim-ple path (qi)0≤i≤k from qI to q for some 0 ≤ k ≤ |Q|−1 ≤ 1+ |ϕ|−1 = |ϕ|.Because G is a run, the labels of the edges ei form a chain of transitions(ti)0≤i≤k ∈ ∆k+1, where ti = 〈qi,Γi, Fi, Q

′i〉 (with Γi 6= ∅ and Q′

i = {qi+1})holds for all 0 ≤ i < k, and Q′

k−1 = {q}. Additionally, because q is anontransient state of the nondeterministic automaton A, there exists for all0 ≤ j < n′ def

= max{n, 1} a transition t′j =⟨q,Γ′

j, F′j, {q}

⟩∈ ∆ with Γ′

j 6= ∅and (if j < n) fj /∈ Fj.

Let σi ∈ Γi and σ′j ∈ Γ′

j for all 0 ≤ i < k and 0 ≤ j < n′, respectively,

let udef= σ0σ1 · · ·σk−1, and let v

def= σ′

0σ′1 · · ·σ

′n′−1. Clearly, |u| = k ≤ |ϕ| and

1 ≤ |v| = n′ = max{n, 1} ≤ |ϕ| hold. We show that A has a fin-accepting

run on the word w′ def= uvω. Let G′ = 〈V ′, E ′, L′〉, where

• V ′ def=

⋃0≤i<ω V

′i , and V ′

i

def= {vi} for all 0 ≤ i < ω;

• E ′ def=

⋃0≤i<ω

{〈vi, V

′i+1〉

};


• L′(vi)def= qi and L′

(〈vi, V

′i+1〉

)def= ti for all 0 ≤ i < k, and L′(vi)

def= q

and L′(〈vi, V

′i+1〉

)def= t′(i−k) mod |v| for all k ≤ i < ω.

Obviously,G′ satisfies the partitioning and causality constraints, andL′(v0) =q0 = qI . Let e = 〈vi, V

′i+1〉 ∈ E ′ be an edge in G′ for some 0 ≤ i < ω. If

i < k, then L′(e) = ti = 〈qi,Γi, Fi, Q′i〉 =

⟨L′(vi),Γi, Fi, L

′(V ′i+1)

⟩∈

∆, and because w′(i) = u(i) = σi ∈ Γi, L is consistent in this case.Otherwise L′(e) = t′(i−k) mod |v| =

⟨q,Γ′

(i−k) mod |v|, F′(i−k) mod |v|, {q}

⟩=⟨

L′(vi),Γ′(i−k) mod |v|, F

′(i−k) mod |v|, L

′(V ′i+1)

⟩∈ ∆, and L is consistent, be-

cause w′(i) = v((i− k) mod |v|

)= σ′

(i−k) mod |v| ∈ Γ′(i−k) mod |v| holds. It is

easy to see that G′ contains a unique infinite branch, and this branch is fin-accepting, because for all 0 ≤ i < n, fi /∈ Fj holds for all k ≤ j < ω suchthat i = (j − k) mod |v|. Thus A fin-accepts uvω, and by Theorem 3.4.2,uvω |= ϕ holds.

(If) If uvω |= ϕ holds, then uvω ∈ L(ϕ) 6= ∅, and thus ϕ is satisfiable. �

Proposition 4.6.10 leads to the following result on computational com-plexity.

Corollary 4.6.11 Let AP be a countably infinite set of atomic propositions.The satisfiability problem for LTLCND(AP) is NP-complete.

Proof: Because the satisfiability problem for formulas in PL(AP) that arein conjunctive normal form is NP-hard [Cook 1971], NP-hardness followstrivially because PL(AP) ⊆ LTLCND(AP). Let ϕ ∈ LTLCND(AP). ByProposition 4.6.10, ϕ is satisfiable iff there exist words u, v ∈ (2AP)∗ of lengthat most |ϕ| such that uvω |= ϕ holds. A nondeterministic decision procedurefor testing the satisfiability of ϕ guesses two words u, v ∈ (2AP)∗ of length atmost |ϕ| and checks whether uvω |= ϕ holds. This check can be done inpolynomial time in

(|u| + |v|

)· |ϕ| ∈ O

(|ϕ|2

)[Wolper 1987] (for example,

using the algorithm of Clarke et al. [1983, 1986]). The satisfiability of ϕ cannow be decided in nondeterministic polynomial time because also the wordsu and v can be constructed in polynomial time in |ϕ|. (When choosing asubset of AP , it is sufficient to restrict to those propositions which occur inϕ; because also the number of these propositions is bounded by |ϕ|, u and vcan be constructed in polynomial time in |ϕ|.) �


5 REFINING THE BASIC TRANSLATION RULES

In this chapter we explore methods for improving the basic translation proce-dure from LTL into self-loop alternating automata by refining the translationrules defined in Sect. 3.1. Except for mentioning some standard syntacticheuristics for reducing the number of temporal subformulas in an LTL for-mula and for representing and simplifying guards of transitions in automatabuilt using the translation rules (Sect. 5.1), we take a high-level theoreticalapproach to optimizing the translation rules by exploiting language contain-ment relationships between self-loop alternating automata (Sect. 5.2). Inaddition to using language containment tests between automata built in thetranslation as simple “pre- and postprocessing” steps for the translation rules(Sect. 5.3), we shall also refine the translation rules themselves (Sect. 5.4,Sect. 5.5): instead of building a compound automaton from one or two com-ponent automata always in the same way, taking the semantic properties ofthe component automata into account may make it possible to constructcompound automata with a simpler transition structure than the one de-termined by the basic rules. Some of the refined rules even prove to beuniversally applicable. Finally, we compare the new translation rules withthe original ones and use them to extend the class of LTL formulas that canbe translated into nondeterministic automata without applying the universalsubset construction (Sect. 5.6).

5.1 SIMPLE OPTIMIZATIONS

5.1.1 Subformulas with Commutative Main Connectives

A standard basic heuristic for reducing the number of steps required for trans-lating (the positive normal form of) a formula ϕ ∈ LTL(AP) into an automa-ton is to order the top-level subformulas of each subformula of [ϕ]PNF with acommutative binary main connective (∨ or ∧ in our set of basic operators)systematically (e.g., using a lexicographic ordering of LTL formulas), for ex-ample, as an explicit preprocessing step before the translation. Even thoughfixing the order of subformulas has no effect on the number of states in theresulting automaton (by Corollary 3.2.2, this number does not depend onthe subformulas of [ϕ]PNF with a Boolean main connective), it may never-theless decrease the total number of translation steps, which is proportionalto the number of syntactically distinct subformulas in ϕ. This way, the trans-lation procedure may also avoid repeating potentially expensive automatonminimization operations (such as those presented later in this chapter) onautomata built for logically equivalent subformulas of [ϕ]PNF that differ onlyin the order of their top-level subformulas.

5.1.2 Transition Guard Simplification

As noted in Sect. 3.1.1, all transition guards of an automaton constructedusing the translation rules are finite conjunctions of one or more atomic

5. REFINING THE BASIC TRANSLATION RULES 117

formulas (also referred to as terms in the literature [Etessami and Holz-mann 2000]). Due to the associativity of the ∧ operator, each guard for-mula θ ∈ PL(AP) can be expressed (omitting parentheses) in the formθ = µ1 ∧ µ2 ∧ · · · ∧ µn for some 1 ≤ n < ω, where µi ∈ PL(AP) is anatomic formula for all 1 ≤ i ≤ n. The formula can then be simplified usingthe commutativity of ∧ and the classic identities of propositional logic:

(θ ∧ θ) ≡ θ (θ ∧ ¬θ) ≡ (¬θ ∧ θ) ≡ ⊥(θ ∧ >) ≡ (>∧ θ) ≡ θ (θ ∧⊥) ≡ (⊥∧ θ) ≡ ⊥

It is easy to see that every guard formula can thus be written in a form inwhich it is either equal to one of the Boolean constants, or it is a conjunctionof literals formed from distinct atomic propositions. Because the formula ⊥is unsatisfiable (i.e., because L(⊥) = ∅ holds), it follows immediately byCorollary 2.3.11 that all transitions with ⊥ as a guard can be removed fromthe alternating automaton without changing its language.

Several authors have suggested using binary decision diagrams (BDDs)[Bryant 1986] for encoding and manipulating transition guards expressed asBoolean formulas [Couvreur 1999; Thirioux 2002; Latvala 2003]. However,as observed by Gastin and Oddoux [2001], guards given in the above veryrestricted form (a conjunction of literals) can be encoded and manipulatedefficiently as pairs of sets of atomic propositions. More precisely, the con-junction of literals θ = µ1 ∧ µ2 ∧ · · · ∧ µn ∈ PL(AP) can be encoded asthe pair 〈P1, P2〉 ∈ 2AP ×2AP , where P1 (P2) collects all atomic propositionsp ∈ AP for which µi = p (µi = ¬p) holds for some 1 ≤ i ≤ n; in thisnotation, the Boolean constant > corresponds to the pair 〈∅, ∅〉. This en-coding allows straightforward implicit application of the above propositionalidentities when building new guards from previously defined ones duringthe translation. It is also easy to check for the validity of propositional im-plications between two transition guards (a prerequisite for many automatonminimization operations presented in this chapter and in the literature) with-out using the full power of BDDs. More precisely, if 〈P1, P2〉 and 〈P ′

1, P′2〉

are the encodings of the guard formulas θ ∈ PL(AP) and θ′ ∈ PL(AP),respectively, then (θ ∧ θ′) is represented by the pair 〈P1 ∪ P

′1, P2 ∪ P

′2〉, θ is

unsatisfiable iffP1∩P2 6= ∅ holds, and the propositional implication (θ → θ′)is valid iff P ′

1 ⊆ P1 and P ′2 ⊆ P2 hold.

Example 5.1.1 Using the above simplification rules for transition guards,

the automaton built in Ex. 3.1.1 for the LTL formula((

⊥Rw (>Us p1))∧

(⊥Rw (>Us p2)

))(repeated in Fig. 5.1 (a)) can be replaced with the one

shown in Fig. 5.1 (b) before using the automaton as a component in anothertranslation rule. �

5.2 LANGUAGE CONTAINMENT CHECKING BETWEEN SELF-LOOP ALTER-

NATING AUTOMATA

Informally, techniques for the optimization and minimization of automataare used to transform automata into “simpler” automata such that the op-

118 5. REFINING THE BASIC TRANSLATION RULES

> >

(> ∧ p2) (p1 ∧ >)

>p1

p1

p2

(p1 ∧ p2)

p2(> ∧>)

>

> >

p2 p1

>p1

p1

p2

(p1 ∧ p2)

p2>

>

(a) (b)

Fig. 5.1: Simplifying the transition guards of an automaton. (a) An automaton built

for the LTL formula((

⊥Rw (>Us p1))∧

(⊥Rw (>Us p2)

)); (b) Automaton ob-

tained from (a) via transition guard simplification

timized automata can be substituted for the original automata in all possi-ble applications. Although the formal meaning of “simple” may vary fromcontext to context, this assumption on substitutability mandates that an op-timized automaton should, at the very least, recognize the same languageas the original one. It is therefore not surprising that constraints neededto ensure that techniques designed for optimizing the automaton have thisproperty are often naturally expressible in a unified way in terms of lan-guage equivalence (or weaker language containment) relationships betweenautomata. We shall give examples of such conditions applied to the opti-mization of self-loop alternating automata throughout this and the followingchapter. Before discussing these applications, however, we review the ba-sic theoretical principles of language containment testing in this section andpoint out observations specific to handling this task with self-loop alternatingautomata.

Questions on language containment are traditionally answered compu-tationally by reusing effective decision procedures for checking languageemptiness. Given two languages L1 and L2 of infinite words over a finitealphabet Σ, the classic reformulation of the language containment relation-ship L1 ⊆ L2 as language emptiness follows directly from the observationthat all words in the language L1 belong to the language L2 iff no wordin L1 belongs to the complement of L2 with respect to Σω, i.e., iff the setintersection L1 ∩ L2 is empty. If the languages L1 and L2 correspond tolanguages Lfin(A1) and Lfin(A2) (fin-)recognized by two automata A1 andA2 (respectively) from a class of automata which is closed under operationsfor constructing automata for Boolean combinations of languages, it followsthat the emptiness of the language L1 ∩ L2 = Lfin(A1) ∩ Lfin(A2) can bedecided effectively by applying a decision procedure for language emptinessto an automaton built from A1 and A2 using these operations. In particu-lar, the complement language Lfin(A2) is recognized by an automaton builtfrom the automaton A2 using a complementation procedure.

The powerful result of Muller and Schupp [1985, 1987] provides an el-egant theoretical construction for complementing an alternating automatonby “dualizing” its transition relation and its acceptance mode (for formal


definitions, see [Muller and Schupp 1985, 1987]). The apparent simplicityof the construction is due, however, to a definition of alternating automatawhich uses a symbolic Boolean encoding for the transition relation of theautomaton, but at the same time (in effect) restricts the guards of transitionsto individual elements of the automaton’s alphabet. These requirements arenot directly compatible with our conventions for representing alternating au-tomata having the alphabet 2AP . On the one hand, the individual transitionsof the automaton are not always easily distinguishable from the symbolicBoolean encoding of the transition relation of the automaton; on the otherhand, however, allowing Boolean formulas as guards of transitions (Sect. 3.1)makes it possible to represent many transitions on individual symbols of theautomaton’s alphabet as a single transition if the transitions share their targetstates and acceptance conditions. A further practical difficulty is caused bythe modification to the acceptance mode of the automaton in the comple-mentation construction. Because Boolean operations on automata are usu-ally designed for automata working in the same acceptance mode, it is in ourcase not possible to combine the automaton built from the automaton A2 viadualization directly with the automaton A1 to obtain an automaton for thelanguage Lfin(A1)∩Lfin(A2). Although the acceptance mode of the dualizedautomaton can be easily reduced back to the original one when working with(very) weak alternating automata (whose acceptance mode can be identifiedwith a special case of state-based inf- or fin-acceptance using a single accep-tance condition), this reduction does not generalize directly into self-loopautomata with multiple acceptance conditions associated with transitions.This last difficulty could perhaps be overcome by replacing the acceptanceconditions in the automaton A2 with a single condition before dualization—for example, by designing a generalized version of one of the constructionsused for this purpose with nondeterministic automata [Emerson and Sistla1984a,b; Courcoubetis et al. 1991, 1992]—and mapping transition-based ac-ceptance into state-based acceptance (which could be combined with thereduction in the number of acceptance conditions; see, for example, [Gastinand Oddoux 2001]). The resulting automaton could then be complementedvia an intermediate translation to weak alternating automata as suggested byKupferman and Vardi [1997, 2001] (see also [Löding 1998; Thomas 1999]for a closely related approach).

It is apparent from the above discussion that the direct adaptation of com-plementation constructions from the literature to our definition of alternat-ing automata depends on many intricate intermediate automata transforma-tions, all of which add to the challenge of implementing a complementationprocedure correctly. For self-loop alternating automata, however, a generalcomplementation construction is not necessarily needed because of the ex-pressive equivalence between these automata and propositional linear timetemporal logic. If the self-loop alternating automata A1 and A2 recognizethe languages of two LTL formulas ϕ1 and ϕ2, respectively, it follows directlyfrom the correctness of the basic translation procedure between LTL and self-loop alternating automata (Theorem 3.3.2) that the language Lfin(A2) canbe fin-recognized by an automaton built from the formula [¬ϕ2]

PNF. Knowl-edge of the LTL formulas corresponding to the given self-loop automata thusmakes it possible to avoid using a direct complementation construction for


automata by reusing the translation procedure from LTL into automata.Because the automata A1 and A2 used in language containment checks to

be discussed in this chapter will often have been obtained in substeps in thetranslation of an LTL formula ϕ ∈ LTLPNF(AP) into an automaton, the cor-respondence between the automata built in the translation and the node sub-formulas of ϕ ensures that the formula [¬ϕ2]

PNF is already known—or can bedetermined easily by syntactic techniques—when testing whether Lfin(A1)∩

Lfin(A2) = ∅ (equivalently, whether Lfin(A1) ⊆ Lfin(A2)) holds. In thiscase the automaton built for the language Lfin(A2) also shares its acceptancemode with the automaton A1 by construction and can therefore be directlycombined with this automaton in a decision procedure for language empti-ness. Additionally, because Temp

([ϕ]PNF

)= Temp

([¬ϕ]PNF

)holds for

all LTL formulas ϕ ∈ LTL(AP), the automaton built from the formula[¬ϕ2]

PNF has at most 1 + Temp([ϕ2]

PNF)

states by Corollary 3.2.2. Ifthe automaton A2 was originally built from the formula ϕ2, the automatonfor the complement language has at most as many states as the automatonA2, identically to an automaton built from A2 by dualization. However, allmeans of complementing self-loop alternating automata conforming to ourdefinition will in the worst case cause an exponential blow-up in the numberof transitions in the automaton due to the explicit representation of transi-tions (for example, when complementing automata built from Boolean for-mulas in disjunctive normal form with two or more literals in each disjunct).

Nevertheless, it is not always directly possible to reuse the basic transla-tion procedure from LTL into automata to handle language containmenttests if the LTL formulas corresponding to the automata A1 or A2 are notknown beforehand in the context. In this case, direct dualization can still beavoided by applying the reverse translation discussed in Sect. 3.4 to, for exam-ple, the automaton A2 to find an LTL formula to be negated and translatedback into an automaton for the language Lfin(A2). In this work, however, weshall focus mostly on special cases that can be handled without applying re-verse translation. Even though giving up the ability to complement arbitraryself-loop alternating automata (i.e., the ability to perform arbitrary languagecontainment tests) will reduce the opportunities for the simplification of au-tomata, we shall obtain a collection of optimizations in which all languagecontainment assumptions can be checked by applying the basic translationprocedure to LTL formulas that are easily determined in the context.

Finally, it needs be pointed out that the power of language containmenttesting comes at a cost of high computational complexity, and thus optimiza-tions based on it are unlikely to scale well in practice to large problem in-stances. Clearly, checking for language containment between automata builtfrom two subformulas of an LTL formula to be translated into an automatonis essentially equivalent to checking for language containment between theformulas themselves; however, this latter problem is easily seen to be alreadyPSPACE-hard in the length of the formulas since the decision problem forthe satisfiability of LTL formulas is PSPACE-complete [Sistla and Clarke1982, 1985]. (Obviously, an LTL formula ϕ is not satisfiable iff L(ϕ) ⊆ L(⊥)holds.) As already seen in Sect. 3.2.2 and Sect. 3.4, our constructions forbuilding automata from LTL formulas and vice versa are inherently expo-nential in the length of formulas and the number of states in the automata.


Table 5.1: LTL equivalences under various language containment relationshipsRelationship between languages

L(ϕ1) ⊆ L(ϕ2) L(ϕ1) ⊆ L(ϕ2) L(ϕ1) ⊆ L(ϕ2) L(ϕ2) ⊆ L(ϕ1)

(ϕ1 ∨ ϕ2) ϕ2 > ϕ1

(ϕ1 ∧ ϕ2) ϕ1 ⊥ ϕ2

(ϕ1 Us ϕ2) ϕ2 (>Us ϕ2) (ϕ2 Rs ϕ1)†

(ϕ1 Uw ϕ2) ϕ2 > (ϕ2 Rw ϕ1)†

For

mu

la

(ϕ1 Rs ϕ2) (ϕ2 Us ϕ1)† ⊥ ϕ2

(ϕ1 Rw ϕ2) (ϕ2 Uw ϕ1)† (⊥Rw ϕ2) ϕ2

† See also Sect. 5.5.

5.3 RULE PREPROCESSING USING LANGUAGE CONTAINMENT

A language containment relationship between automata built for the top-level subformulas of a binary LTL formula (equivalently, between the sub-formulas themselves) may allow simplifying the compound automaton builtfrom these automata. For example, if the language of an LTL formula ϕ1 ∈LTL(AP) is contained in the language of another formula ϕ2 ∈ LTL(AP)(i.e., if L(ϕ1) ⊆ L(ϕ2) holds), then L

((ϕ1∧ϕ2)

)= L(ϕ1)∩L(ϕ2) = L(ϕ1)

holds. Therefore the automaton already built for ϕ1 can be reused to obtainan automaton for the formula (ϕ1 ∧ ϕ2) directly, instead of defining the au-tomaton by applying the translation rule given for the ∧ connective. Reusingthe automaton built for ϕ1 will thus likely result in a smaller automaton forthe compound formula than the one that would have been obtained by usingthe translation rule: for example, there is no need to take a new initial statefor the automaton for the compound formula.

Table 5.1 contains formula simplification rules that follow from a numberof possible assumptions about the relationship between the languages of twoLTL formulas. Each cell in the table gives an LTL formula that is logicallyequivalent to the formula labeling the row of the cell under the languagecontainment relationship given as the label of the cell’s column; empty cellscorrespond to cases in which the assumptions do not lead to direct simplifi-cation of the formulas. The correctness of each rule can be verified directlyfrom the semantics of LTL. Because the LTL formulas referred to in theconditions for language containment are subformulas of the compound for-mulas labeling the rows of the table, the complement of the language of eachof these subformulas (required in the language containment test) can be rec-ognized by an automaton built directly for the positive normal form of thenegated subformula.

The expressive equivalence between LTL formulas and self-loop alternat-ing automata guarantees that an automaton built for a formula in a nonemptycell of Table 5.1 can always be substituted for the compound automatonbuilt for the formula labeling the row of the cell. The formula substitutionis clearly preferable whenever either one of the original formula’s subfor-mulas can be discarded (or replaced with a Boolean constant) in the sub-stitution. However, under some assumptions on language containment, thereplacement formula for an Until (Release) formula is a Release (Until) for-mula of the corresponding strength with only the order of the subformulas


reversed. We shall investigate these cases further in Sect. 5.5, where we usethe same language containment assumptions to refine the translation rulesfor these connectives. The identities in Table 5.1 can nevertheless be usedfor reducing the effective number of distinct subformulas to which the trans-lation needs to be applied when translating a formula ϕ ∈ LTLPNF(AP)into an automaton. For example, by treating all subformulas of the form(ϕ1 Rs ϕ2) ∈ Sub(ϕ), where L(ϕ1) ⊆ L(ϕ2), systematically as formulas ofthe form (ϕ2 Us ϕ1), an automaton built for the formula (ϕ2 Us ϕ1) can ob-viously be reused as the automaton for the formula (ϕ1 Rs ϕ2). This substi-tution effectively reduces the number of syntactically distinct temporal sub-formulas in ϕ and therefore also the worst-case size of an automaton for ϕ(Corollary 3.2.2). Furthermore, the basic translation rules suggest that itmay be preferable to replace Release formulas with Until formulas and notvice versa, since the worst-case number of initial transitions in a compoundautomaton created by a Release rule is proportional to the product instead ofthe sum of the numbers of the initial transitions in the component automata.

The simplification rules in Table 5.1 reduce to well-known easy-to-checkspecial cases when one of the subformulas involved in the language contain-ment test is a Boolean constant, due to the fact that

∅ = L(⊥) = L(>) ⊆ L(ϕ) ⊆ L(>) = L(⊥) = (2AP)ω

holds for all LTL formulas ϕ ∈ LTL(AP). These special cases, togetherwith the identities X> ≡ > and X⊥ ≡ ⊥ for the Next Time connective,can be checked syntactically from the formulas and can therefore be usedeven if checking for general language containment is considered too expen-sive. Checking for syntactic special cases that imply language containmentis a standard technique used in most actual implementations (for example,[Etessami and Holzmann 2000; Somenzi and Bloem 2000; Thirioux 2002])usually as a preprocessing step; clearly, performing the translation incremen-tally supports combining the formula rewriting step easily with the translationitself.

In addition to checking for language containment relationships before ap-plying a translation rule, language containment checks can also be used im-mediately after applying the rule to test whether the language accepted bythe newly defined automaton for a compound formula ϕ is empty (L(ϕ) ⊆L(⊥)), universal (that is, equal to (2AP)ω, L(>) ⊆ L(ϕ)), or equal to thelanguage of another LTL formula ϕ′ corresponding to some previously builtautomaton (L(ϕ) ⊆ L(ϕ′) and L(ϕ′) ⊆ L(ϕ)). Obviously, such relation-ships may again allow reducing the compound automaton into a simpler oneby, for example, improving the opportunities for Boolean constant propaga-tion at the cost of an increase in the number of language containment tests.

5.4 THE ∧ CONNECTIVE

In this section we define a new translation rule for the ∧ connective that canbe used instead of the basic one to improve the translation in some simplespecial cases. We start with a discussion to illustrate opportunities for opti-mizing the translation rules.


(p1 ∧ p2)

p1 p2

(p1 ∧ p2)

(a) (b)

Fig. 5.2: Two automata for the LTL formula (Gp1 ∧ Gp2). (a) Automaton built forthe formula using the basic translation rules; (b) Minimal automaton for the formula

Intuitively, the basic translation rule for the ∧ connective defines the ini-tial transitions of the automaton for an LTL formula ϕ ∈ LTLPNF(AP) witha subformula of the form (ϕ1 ∧ ϕ2) ∈ Sub(ϕ) by merging all pairs of initialtransitions of the component automata built for the formulas ϕ1 and ϕ2, “un-rolling” all initial self-loops of the automata (see Fig. 3.1 (f), p. 43). Becausethe initial state of every component automaton with an initial self-loop thusbecomes reachable from the initial state of the automaton built for the for-mula (ϕ1 ∧ ϕ2), the state will remain reachable also from the initial state ofthe automaton obtained for the formula ϕ at the end of the translation. It iseasy to see that this feature of the translation rule leads to the construction ofautomata with a suboptimal number of states and transitions already in verysimple cases.

Example 5.4.1 Consider the translation of the LTL formula

(Gp1 ∧ Gp2) ≡((⊥Rs p1) ∧ (⊥Rs p2)

)∈ LTL

({p1, p2}

)

into a self-loop alternating automaton using the basic translation rules. Ap-plying the basic translation rule for the ∧ connective to the automata builtfor the formulas (⊥Rs p1) and (⊥Rs p2) results in the three-state automa-ton shown in Fig. 5.2 (a). Obviously, this automaton is not of minimal sizein the number of states or transitions, since the language of the LTL formula(Gp1∧Gp2) is clearly fin-recognized also by the single-state automaton shownin Fig. 5.2 (b). �

Obviously, an automaton built using the basic translation rules could beoptimized afterwards to reduce the number of states in the automaton. Inthe following, however, we explore techniques for refining the translationrules themselves to make them handle simple optimizations (such as the oneshown in Ex. 5.4.1) directly.

Consider two self-loop alternating automata A1 and A2, both of which fin-accept a word w ∈ Σω over their common alphabet Σ. By Proposition 2.3.7,each of these runs begins with a (possibly empty) chain of edges labeled withinitial self-loops of the respective automaton. If A1 and A2 are used as com-ponents in an application of the translation rule given for the ∧ connective,then the automaton A built using the rule simulates the synchronous behav-ior of A1 and A2 by, in effect, using its initial transitions to spawn copies of A1

and A2 (or their subautomata), which then work in parallel on the rest of theinput as discussed in Sect. 3.1.1. Consequently, every run of A separates into


qI

q1

q2

q3

q4

q5

qI1qI1qI1 qI1

qI2qI2qI2qI2

=⇒ qIqIqIqIqI

q1

q2

q3

q5

q4

qI1 qI1qI1qI1

qI2qI2qI2qI2

Fig. 5.3: Merging the initial segments of two branches in a run of an automatonhaving initial state qI

two (not necessarily disjoint) partitions corresponding to fin-accepting runsof A1 and A2. If both of these runs begin with nonempty chains of edgeslabeled with initial self-loops of A1 and A2, the separation of the run of Ainto two partitions could be postponed by merging initial segments of thesechains together as shown in Fig. 5.3. Furthermore, if no copy of A1 (A2)remains in the initial state of A1 (resp. A2) after the separation, the com-pound automaton A can avoid spawning subautomata rooted at the initialstates of these component automata. If all runs of A admit a similar modi-fication, A does not need any initial transitions to one or both of the initialstates of the automata A1 or A2. Unlike in the basic construction, the initialstate of at least one component automaton now remains a possible candidatefor eventual removal from the automaton obtained at the end of the transla-tion (provided, of course, that no subsequent application of a translation rulecreates transitions to this state, either).

The above principle of merging the initial segments of two branches in arun of a compound automaton A can be made implicit in the translation bymodifying the translation rule for the ∧ connective. Similarly to the basicconstruction, we first collect all pairs of initial transitions of the componentautomata and use the original construction to merge all pairs of transitions,one of which is not a self-loop. However, each pair of self-loops is now testedwhether it could be merged into an initial self-loop of A that simulates thepair of transitions. Since A should still be allowed to take a transition iff thecomponent automata can take a pair of synchronous transitions, it is againnatural to form the guard of the self-loop as the logical conjunction of theguards of the individual transitions. The target states of each initial transitionof A would normally be formed as the union of the target states of the tran-sitions to be merged; however, since we intend to prevent the run of A fromseparating into two partitions, we replace the initial states of the componentautomata in this set with the initial state of A. To define the acceptanceconditions of the new self-loop, it is tempting to try a similar strategy by tak-ing the union of the acceptance conditions of the pair of transitions to bemerged to prevent A from possibly fin-recognizing more inputs than its com-ponent automata. Analogously to designing a universal subset constructionfor translating a self-loop alternating automaton into a nondeterministic one(Sect. 4.2.1), this intuitive idea is, however, incorrect in the general case.

Example 5.4.2 Figure 5.4 depicts two alternating automata working on thealphabet 2{p1,p2}, together with a self-loop alternating automaton obtainedby the above informal construction for merging initial self-loops of the twoautomata into initial self-loops of the third automaton. It is easy to see that


PSfrag

p1 p2 p1 p2

p1 p2

(p1 ∧ p2) (p1 ∧ p2)

(a) (b)

Fig. 5.4: Self-loops of automata that share common acceptance conditions cannotalways be merged into a single self-loop by forming their acceptance conditions asthe union of the acceptance conditions of the self-loops. (a) Two automata sharinga common acceptance condition; (b) Automaton obtained from the two automataby merging pairs of their initial transitions (taking unions of their acceptance condi-tions)

both automata in Fig. 5.4 (a) fin-accept the word({p1}{p2}

)ω, but this word

does not belong to the language of the automaton in Fig. 5.4 (b): on thisinput, this automaton can take only •-transitions, and thus the run of thisautomaton on this input is not fin-accepting. �

Evidently, the suggested construction for merging initial self-loops of twocomponent automata is not correct in the general case without a means todistinguish between the conditions inherited from the component automatain the compound automaton. As in the universal subset construction ofSect. 4.2.1, this problem could perhaps be overcome by introducing newacceptance conditions. We shall not explore this approach further in thissection, however; instead, we show that the suggested construction is actu-ally correct for a restricted class of automata that includes, in particular, allautomata built from LTL formulas using the basic translation rules. The restof this section is devoted to showing this result. (Actually, the result shown be-low is slightly more general: instead of merging only pairs of initial self-loopsof two component automata into self-loops of a compound automaton, it ispermissible to merge any two initial transitions of the component automataif the union of their target states covers their initial states.) The result leadsto a new translation rule for the ∧ connective (Table 5.2); see also Fig. 5.5.

Proposition 5.4.3 Let A1 = 〈2AP , Q1,∆1, qI1,F1〉 and A2 = 〈2AP , Q2,∆2,qI2,F2〉 be two alternating automata (qI1 6= qI2) that satisfy the followingconstraints:

• A1 and A2 are self-loop alternating automata simplified in the senseof Corollary 2.3.20 (i.e., for all transitions t ∈ ∆1 ∪ ∆2, the set ofacceptance conditions of t is not empty only if t is a self-loop)

• Aq,F1∪F2

1 = Aq,F1∪F2

2 holds for all states q ∈ Q1 ∩Q2;

• for all indices n ∈ {1, 2}, the automaton An is an acceptance closedalternating automaton, and if An has an f -state for some f ∈ Fn, thenAn has an f -representative state; and

• if both A1 and A2 have an f -state for some f ∈ F1 ∩ F2, then A1 andA2 share an f -representative state.


Table 5.2: Definition of a new translation rule for the ∧ connective (continuation ofTable 3.1)

◦ F◦ ∆◦

∧ ∅

⟨qI , (θ1 ∧ θ2), ∅, Q

′1 ∪Q

′2

⟩ 〈qI1, θ1, F1, Q′1〉 ∈ ∆1,

〈qI2, θ2, F2, Q′2〉 ∈ ∆2,

{qI1, qI2} 6⊆ Q′1 ∪Q

′2

∪

⟨qI , (θ1 ∧ θ2), F1 ∪ F2,(Q′

1 ∪Q′2 ∪ {qI}) \ {qI1, qI2}

⟩〈qI1, θ1, F1, Q

′1〉 ∈ ∆1,

〈qI2, θ2, F2, Q′2〉 ∈ ∆2,

{qI1, qI2} ⊆ Q′1 ∪Q

′2

θ1

A1

θ2

θ3

A2qI1 qI2

(a)

θ1

A1 A2

qI

qI1 qI2

θ2

θ3

(θ1 ∧ θ2)

(θ1 ∧ θ3)∧

(b)

Fig. 5.5: New translation rule for the ∧ connective. (a) Two component automataA1 and A2; (b) Automaton built from A1 and A2 using the refined rule for the ∧connective

Define the alternating automaton A = 〈2AP , Q,∆, qI ,F〉, where Qdef= Q1 ∪

Q2 ∪ {qI} (for a new state qI /∈ Q1 ∪Q2),

∆def= ∆1 ∪ ∆2 ∪

⟨qI , (θ1 ∧ θ2), ∅, Q

′1 ∪Q

′2

⟩ 〈qI1, θ1, F1, Q′1〉 ∈ ∆1,

〈qI2, θ2, F2, Q′2〉 ∈ ∆2,

{qI1, qI2} 6⊆ Q′1 ∪Q

′2

∪

⟨qI , (θ1 ∧ θ2), F1 ∪ F2,(Q′

1 ∪Q′2 ∪ {qI}) \ {qI1, qI2}

⟩〈qI1, θ1, F1, Q

′1〉 ∈ ∆1,

〈qI2, θ2, F2, Q′2〉 ∈ ∆2,

{qI1, qI2} ⊆ Q′1 ∪Q

′2

and Fdef= F1 ∪ F2. The automaton A is a self-loop alternating automaton

simplified in the sense of Corollary 2.3.20, Aq,Fn = Aqn holds for all n ∈

{1, 2} and q ∈ Q ∩ Qn, and for all w ∈ (2AP)ω, w ∈ Lfin(A) holds iffw ∈ Lfin(A1) ∩ Lfin(A2) holds. Furthermore, A is an acceptance closedalternating automaton such that if A has an f -state for some f ∈ F , then Ahas an f -representative state that is f -representative also in all automata An

(n ∈ {1, 2}) that have an f -state.

Observe that all automata A1 = 〈2AP , Q1,∆1, qI1,F1〉 and A2 = 〈2AP ,Q2,∆2, qI2,F2〉 constructed from node subformulas of an LTL formula ϕ ∈LTLPNF(AP) using the basic translation rules satisfy the assumptions givenin Proposition 5.4.3. The automata obtained in this way are self-loop alter-nating automata such that Aq,F1∪F2

1 = Aq,F1∪F22 holds for all q ∈ Q1 ∩ Q2

by the discussion in Sect. 3.1.1, and for all f ∈ F1 ∪ F2, the union of thestate sets of A1 and A2 contains at most one f -state (which is the initial state


of a subautomaton built for a strong temporal eventuality subformula of ϕ).Clearly, this f -state is trivially f -representative in any automaton to which itbelongs.

We divide the proof of Proposition 5.4.3 into several lemmas. It is easy tosee that A has the simple structural properties listed in the proposition.

Lemma 5.4.4 Let A1, A2 and A be three alternating automata as specifiedin Proposition 5.4.3. The automaton A is a self-loop alternating automaton(simplified in the sense of Corollary 2.3.20) such that Aq,Fn = Aq

n holds forall n ∈ {1, 2} and q ∈ Q ∩Qn.

Proof: Because A1 and A2 are self-loop alternating automata, it is easy to seethat also the automaton A is a self-loop alternating automaton (all loops in-troduced in the definition of A are self-loops). Furthermore, because A1 andA2 are simplified in the sense of Corollary 2.3.20, then so is A. If q ∈ Q∩Qn

holds for some n ∈ {1, 2}, then q 6= qI holds, and because every transition inthe subautomaton Aq is a transition of An, it follows that Aq,Fn = Aq

n holds.�

The next result shows that every word fin-accepted by A is fin-acceptedby both A1 and A2. (Actually, this language inclusion holds generally for allalternating automata A1 and A2.)

Lemma 5.4.5 Let A1 = 〈2AP , Q1,∆1, qI1,F1〉, A2 = 〈2AP , Q2,∆2, qI2,F2〉and A = 〈2AP , Q,∆, qI ,F〉 be three alternating automata, where qI /∈ Q1 ∪Q2 holds, andQ (∆, F ) is defined fromQ1 andQ2 (∆1 and ∆2, F1 and F2) asspecified in Proposition 5.4.3. For all w ∈ Lfin(A), w ∈ Lfin(A1) ∩ Lfin(A2)holds.

Proof: Let w ∈ Lfin(A), and let G = 〈V,E, L〉 be a fin-accepting run of Aon w. By Proposition 2.3.7, there exists an index 0 ≤ i ≤ ω and a chain ofedges (ej)0≤j<i+1, ej ∈ E ∩ (Vj × 2Vj+1), such that the transition L(ej) ∈ ∆is an initial self-loop of A for all 0 ≤ j < i, and if i < ω, then the transitionL(ei) ∈ ∆ is an initial transition of A that is not a self-loop.

Write L(ej) = tj = 〈qI , θj , Fj, Q′j〉 for all 0 ≤ j < i + 1, and fix 0 ≤

j < i + 1. From the definition of A it follows that for all k ∈ {1, 2}, thereexists a transition tj,k = 〈qIk, θj,k, Fj,k, Q

′j,k〉 ∈ ∆k for some θj,k ∈ PL(AP),

Fj,k ⊆ Fk and Q′j,k ⊆ Qk such that θj = (θj,1 ∧ θj,2) holds. If j < i,

then L(ej) is an initial self-loop of A, in which case Fj = Fj,1 ∪ Fj,2 andQ′j =

(Q′j,1 ∪ Q′

j,2 ∪ {qI})\ {qI1, qI2} (where {qI1, qI2} ⊆ Q′

j,1 ∪ Q′j,2).

Otherwise, if i < ω, then Fi = ∅ and Q′i = Q′

i,1 ∪Q′i,2.

For all 0 ≤ j < i and k ∈ {1, 2}, writeQ′j,k\{qI1, qI2} = {qj,k,1, qj,k,2, . . . ,

qj,k,nj,k} for some 0 ≤ nj,k < ω. If i < ω, write Q′

i,k = {qi,k,1, qi,k,2, . . . ,qi,k,ni,k

} for some 0 ≤ ni,k < ω (k ∈ {1, 2}). We construct a fin-acceptingsemi-run G′ = 〈V ′, E ′, L′〉 of A1 on w.

(Definition of G′) Define the levels of G′ inductively: let V ′0

def= {v0,1} and

L′(v0,1)def= qI1, and assume that V ′

j and L′(v) have already been defined forsome 0 ≤ j < i+ 1 and for all v ∈ V ′

j , respectively. For all v ∈ V ′j , define a


set S(v) of nodes (which will correspond to the successors of v in G′) by

S(v)def=

∅ if L′(v) /∈ {qI1, qI2}{vj,k,1, . . . , vj,k,nj,k

} if L′(v) = qIk (k ∈ {1, 2}),and either i = ω, or j < i∪

{vj+1,` ` ∈ {1, 2}, qI` ∈ Q′

j,k

}

{vj,k,1, . . . , vj,k,nj,k}

if L′(v) = qIk (k ∈ {1, 2}),i < ω, and j = i.

Let V ′j+1

def=

⋃v∈V ′

jS(v). (We distinguish between nodes by their sub-

scripts; thus, V ′j+1 consists of at most nj,1 + nj,2 + 2 nodes not included in

any previously defined level of G′.) Define the labeling for the nodes at levelj + 1 by setting

L′(vj,k,`)def= qj,k,` and L′(vj+1,k)

def= qIk

for all (relevant) combinations of k ∈ {1, 2} and 1 ≤ ` ≤ nj,k. If i < ω,

let V ′j

def= ∅ for all i + 1 < j < ω. To complete the definition of G′, let

E ′ def=

{⟨vj,k, S(vj,k)

⟩vj,k ∈ V ′

j for some 0 ≤ j < i + 1 and k ∈ {1, 2}}

,

and for all e =⟨vj,k, S(vj,k)

⟩∈ E ′, let L′(e)

def= tj,k.

(G′ is a fin-accepting semi-run of A1 on w) We check that G′ is a fin-ac-cepting semi-run of A1 on w.

(Partitioning) Clearly, V ′0 = {v0,1} is a singleton, V ′ consists of finite

disjoint levels, and all edges of E ′ lie between successive levels of G′.

(Causality) Let v ∈ V ′j for some 0 ≤ j < ω. Then v = vj−1,k,` holds

for some k ∈ {1, 2} and 1 ≤ ` ≤ nj−1,k, or v = vj,k holds for somek ∈ {1, 2}. In the former case, v has no outgoing edges; otherwise v hasthe unique outgoing edge

⟨v, S(v)

⟩∈ E ′. It follows that G′ satisfies the

forward semi-causality constraint.If v′ ∈ V ′

j holds for some 1 ≤ j < ω, then j < i+ 2 holds, and, by theinductive definition of the levels of G′, there exists a node v ∈ V ′

j−1 suchthat L′(v) ∈ {qI1, qI2} and v′ ∈ S(v) hold. Because j − 1 < i+ 1 holds,L′(v) ∈ {qI1, qI2} implies that v = vj−1,k for some k ∈ {1, 2}. Because⟨vj−1,k, S(vj−1,k)

⟩∈ E ′, it follows that v′ is a successor of the node v at

level j − 1, and G′ satisfies the backward causality constraint.

(Consistency of L′) Clearly, L′(V ′0) =

{L′(v0,1)

}= {qI1} holds. Let

e =⟨vj,k, S(vj,k)

⟩∈ E ′ for some 0 ≤ j < i+1 and k ∈ {1, 2}. By the def-

inition of G′, e is labeled with the transition tj,k = 〈qIk, θj,k, Fj,k, Q′j,k〉 ∈

∆k. Because the edge ej ∈ E ∩ (Vj × 2Vj+1) is labeled in G with thetransition tj = 〈qI , θj , Fj, Q

′j〉 ∈ ∆, w(j) |= θj = (θj,1 ∧ θj,2) holds (G is

a run of A). By the semantics of LTL, it follows that w(j) |= θj,k holds.Moreover, L′(vj,k) = qIk holds, and it is straightforward to check fromthe definitions that also L′

(S(vj,k)

)= Q′

j,k holds. Thus the labeling L isconsistent.

(Acceptance) If V ′j = ∅ holds for some 0 ≤ j < ω (which is always

the case if i < ω holds), then E ′ is finite. In this case B(G′) = ∅, andG′ is trivially fin-accepting. Otherwise i = ω, and G′ contains an infinitebranch β = (e′j)0≤j<ω ∈ B(G′), where e′j ∈ E ′ ∩ (V ′

j × 2V′j+1) for all

0 ≤ j < ω. By the definition of E ′, e′j =⟨vj,k, S(vj,k)

⟩holds for some


k ∈ {1, 2} for all 0 ≤ j < ω, and thus L′(e′j) ∈ {tj,1, tj,2} holds for all 0 ≤j < ω. Suppose that fin(β) 6= ∅ holds. Then there exists an acceptancecondition f ∈ F and an index 0 ≤ ` < ω such that the transition L′(e′j)is an f -transition for all ` ≤ j < ω. Because i = ω, each edge ej inthe run G is labeled with a self-loop of A for all 0 ≤ j < ω, and thusthe acceptance conditions of L(ej) include the acceptance conditions ofthe transitions tj,1 and tj,2 for all 0 ≤ j < ω. But then fin

((ej)0≤j<ω) 6=

∅ holds, contrary to the assumption that G is a fin-accepting run of A.Therefore fin(β) is empty, and G′ is a fin-accepting semi-run of A1 on w.

(G′ can be extended to a fin-accepting run) Let v ∈ V ′ be a node with nooutgoing edges in G′. Then v = vj,k,` ∈ V ′

j+1 holds for some 0 ≤ j < i+ 1,

k ∈ {1, 2} and 1 ≤ ` ≤ nj,k, and L′(v) ∈ Q′′ def= {qj,k,1, . . . , qj,k,nj,k

} ⊆ Q1

(because G′ is a run of A1, all nodes in V ′j+1 are labeled with descendants of

L′(v0,1) = qI1 by Proposition 2.3.6). In the run G, ej ∈ E ∩ (Vj × 2Vj+1)holds, and L(ej) = 〈qI , θj , Fj, Q

′j〉, where Q′′ ⊆ Q′

j . Because G is a fin-accepting run of A on w, Aq fin-accepts wj+1 for all q ∈ Q′

j , and becauseQ′′ ⊆ Q1 holds, wj+1 ∈ Lfin(A

q) = Lfin(Aq,F1) = Lfin(A

q1) holds for all

q ∈ Q′′ (Lemma 5.4.4). In particular, AL′(v)1 fin-accepts wj+1, and because

this result holds for all v ∈ V ′ with no outgoing edges, the semi-run G′ canbe extended into a fin-accepting run of A1 on w by Proposition 2.3.14. Weconclude that w ∈ Lfin(A1) holds.

(w ∈ Lfin(A2)) By repeating the above construction of G′ for the automa-ton A2 (i.e., by starting the inductive definition of the levels of V ′ from the

set V ′0

def= {v0,2} with L′(v0,2)

def= qI2), we obtain a fin-accepting run of A2 on

w. Thus w ∈ Lfin(A1) and w ∈ Lfin(A2) hold. �

To prove the converse language inclusion, we need the following techni-cal result.

Lemma 5.4.6 Let A1, A2 and A be three alternating automata as specifiedin Proposition 5.4.3, and let w ∈ Lfin(A1) ∩ Lfin(A2). There exists (by pos-sibly switching the roles of A1 and A2) an index 0 ≤ i ≤ ω and, for all n ∈{1, 2}, a sequence (tj,n)0≤j<i+1 =

(〈qIn, θj,n, Fj,n, Q

′j,n〉

)0≤j<i+1

∈ ∆i+1n of

initial transitions of An such that

• the sequence (tj,1)0≤j<i+1 is a chain of initial transitions of A1 suchthat the transition tj,1 is an initial self-loop of A1 for all 0 ≤ j < i;

• there exists a (possibly infinite) sequence of integers 0 = ı0 < ı1 <· · · < i such that the sequence (tj,2)0≤j<i+1 can be written either (i)as a finite concatenation (tj,2)ı0≤j<ı1(tj,2)ı1≤j<ı2 · · · (tj,2)ı`≤j<i+1 (0 ≤` < ω) of nonempty segments, the last one of which is infinite iff i = ωholds, or (ii) as an infinite concatenation (tj,2)ı0≤j<ı1(tj,2)ı1≤j<ı2 · · ·of nonempty finite segments, where (in both cases) every segment is achain of initial transitions of A2, and every non-final segment ends inan initial non-self-loop of A2;

• w(j) |= (θj,1 ∧ θj,2) holds for all 0 ≤ j < i+ 1;

• for all 0 ≤ j < i+ 1, n ∈ {1, 2} and q ∈ Q′j,n, Aq

n fin-accepts wj+1;


• {qI1, qI2} ⊆ Q′j,1 ∪Q

′j,2 holds for all 0 ≤ j < i;

• if i < ω holds, then {qI1, qI2} 6⊆ Q′i,1 ∪Q

′i,2 holds; and

• if i = ω holds, then, for all f ∈ F1 ∪ F2, there exist infinitely manyindices 0 ≤ j < ω such that f /∈ Fj,1 ∪ Fj,2 holds.

Proof: Because w ∈ Lfin(A1)∩Lfin(A2) holds, A1 and A2 have fin-acceptingruns G1 = 〈V 1, E1, L1〉 and G2 = 〈V 2, E2, L2〉 on w, respectively. (Withoutloss of generality, we may assume that V 1 ∩ V 2 = E1 ∩ E2 = ∅ holds.) Fur-thermore, because the automaton An (n ∈ {1, 2}) is an acceptance closedalternating automaton that has an f -representative state for all f ∈ Fn forwhich it has an f -state, we may assume that G1 and G2 are fin-acceptancesynchronized (Proposition 4.3.5). As a matter of fact, because A1 and A2

share an f -representative state for all f ∈ F1 ∩ F2 for which they bothhave an f -state, G1 and G2 can be built using the construction given in theproof of Proposition 4.3.5 such that there are, for all acceptance conditionsf ∈ F1 ∪ F2, infinitely many indices 0 ≤ j < ω such that no transitionlabeling an edge starting from a node at level j of G1 or G2 is an f -transition.Therefore, not only are the runs G1 and G2 individually fin-acceptance syn-chronized, but the graph obtained by juxtaposing G1 and G2 is similarly syn-chronized; we say that G1 and G2 are mutually fin-acceptance synchronized.

Let n ∈ {1, 2}. By Proposition 2.3.7, there exists an index 0 ≤ in ≤ ωand a chain of edges (ej,n)0≤j<in+1 in Gn, ej,n ∈ En ∩ (V n

j × 2Vnj+1), such

that for all 0 ≤ j < in, the transition Ln(ej,n) ∈ ∆n is an initial self-loop ofAn, and if in < ω holds, then Ln(ein,n) is an initial transition of An that isnot a self-loop.

Without loss of generality, we may assume that i2 ≤ i1 holds (if this is

not the case, switch the roles of A1 and A2). For all n ∈ {1, 2}, let tj,ndef=

Ln(ej,n) = 〈qIn, θj,n, Fj,n, Q′j,n〉 for all 0 ≤ j < in + 1. Clearly, for all

n ∈ {1, 2}, the sequence (tj,n)0≤j<in+1 is a chain of initial transitions of An.Because the edge ej,n ∈ En ∩ (V n

j × 2Vnj+1) is an edge in a fin-accepting run

of An on w and Ln is consistent, w(j) |= θj,n holds for all 0 ≤ j < in + 1,Aqn fin-accepts wj+1 for all 0 ≤ j < in + 1 and q ∈ Q′

j,n (Proposition 2.3.9),and qIn ∈ Q′

j,n holds for all 0 ≤ j < in.

If i2 = ω holds, then the result obviously follows if we define idef= ω: in

this case the sequence (tj,2)0≤j<i+1 consists of a single infinite segment, andthe fact that G1 and G2 are mutually fin-acceptance synchronized guaranteesthat f /∈ Fj,1 ∪ Fj,2 holds for infinitely many 0 ≤ j < ω for all f ∈ F1 ∪ F2.

If i2 < ω holds, then clearly (tj,2)0≤j<i2+1 consists of a single segmentconforming to the criteria given in the lemma, and this segment ends in aninitial non-self-loop transition of A2. In this case we extend the sequence(tj,2)0≤j<i2+1 with another segment using the following inductive construc-

tion; we also define a sequence of integers ı1, ı2, . . .. Let ı1def= i2 + 1.

Assume that ık ≤ i1 + 1 (ık < ω) and tj,2 = 〈qI2, θj,2, Fj,2, Q′j,2〉 have

already been defined for some 1 ≤ k < ω and for all 0 ≤ j < ık, andthe sequence (tj,2)0≤j<ık can be expressed as a finite concatenation of finitenonempty segments corresponding to chains of initial transitions of A2 end-ing in an initial transition that is not a self-loop, w(j) |= θj,2 holds for all


0 ≤ j < ık, and Aq2 fin-accepts wj+1 for all 0 ≤ j < ık and q ∈ Q′

j,2. (By theabove definition of (tj,2)0≤j<i2+1, the assumption clearly holds for k = 1.)

If {qI1, qI2} 6⊆ Q′ık−1,1 ∪ Q′

ık−1,2 holds, we abort the inductive construc-

tion: in this case, the result follows by defining idef= ık − 1.

Otherwise, if {qI1, qI2} ⊆ Q′ık−1,1 ∪ Q′

ık−1,2 holds, then, because tık−1,2

is not an initial self-loop of A2, qI2 /∈ Q′ık−1,2 holds, and thus qI2 ∈ Q′

ık−1,1

holds. Suppose that qI1 /∈ Q′ık−1,1 holds (in which case ık − 1 = i1 < ω);

then obviously qI1 ∈ Q′ık−1,2 holds. It follows that {qI1, qI2} ⊆ Q1 ∩ Q2

holds, and because qI1 6= qI2 and AqI1,F1∪F2

1 = AqI1,F1∪F2

2 hold by the as-sumptions given in Proposition 5.4.3, the automaton A1 contains the simplecycle (qI1, qI2, qI1) that is not a self-loop. The existence of this cycle contra-dicts the assumption that A1 is a self-loop alternating automaton. Thereforeit must be the case that qI1 ∈ Q′

ık−1,1 holds, and thus {qI1, qI2} ⊆ Q′ık−1,1.

Because G1 is a fin-accepting run of A1 and qI2 ∈ Q′ık−1,1 holds, it follows

that we can extract fromG1 a fin-accepting run (G2)′ =⟨(V 2)′, (E2)′, (L2)′

⟩

of AqI22 (which is a fin-accepting run of A2 by Proposition 2.3.12) on wık . By

Proposition 2.3.7, there now exists an integer 0 ≤ i′2 < ω such that the run

(G2)′ contains a chain of edges (ej)0≤j<i′2+1, ej ∈ (E2)′∩((V 2)′j×2(V 2)′j+1

),

labeled with initial transitions of A2 such that the transition (L2)′(ej) =〈qI2, θj , Fj, Q

′j〉 is an initial self-loop of A2 for all 0 ≤ j < i′2, and if i′2 < ω

holds, then (L2)′(ei′2) = 〈qI2, θi′2 , Fi′2 , Q′i′2〉 is not a self-loop of A2. Fur-

thermore, because (G2)′ is embedded in the fin-accepting run G1, ej−ık ∈

E1 ∩ (V 1j × 2V

1j+1) and w(j) |= θj−ık hold for all ık ≤ j < ık + i′2 + 1,

wj+1 ∈ Lfin(Aq1) = Lfin(A

q,F2

1 ) = Lfin(Aq2) holds for all ık ≤ j < ık + i′2 + 1

and q ∈ Q′j−ık

, and qI2 ∈ Q′j−ık

holds for all ık ≤ j < ık + i′2.If ık + i′2 ≤ i1 holds, then, if i′2 = ω holds, then also i1 = ω holds. In

this case the result follows by defining idef= ω and tj,2

def= (L2)′(ej−ık) for all

ık ≤ j < ω (because (G2)′ is embedded in the fin-acceptance synchronizedrun G1, it is easy to see that there again exist infinitely many 0 ≤ j < ωsuch that neither tj,1 nor tj,2 is an f -transition). If i′2 < ω holds, define

ık+1def= ık + i′2 + 1, and tj,2

def= (L2)′(ej−ık) for all ık ≤ j < ık+1. Clearly, the

assumptions of the inductive construction now hold for ık+1. In this case wecontinue the construction.

Otherwise, if ık+i′2 > i1 holds, then i1 < ω holds. We claim that the result

now follows by defining idef= i1 and tj,2

def= (L2)′(ej−ık) for all ık ≤ j ≤ i1.

It is easy to see that all except the second to last condition in the lemmahold directly by construction of the sequences (tj,1)0≤j<i+1 and (tj,2)0≤j<i+1.Assume that {qI1, qI2} ⊆ Q′

i,1∪Q′i,2 holds. Because the transition ti,1 is not an

initial self-loop ofA1, it follows that qI1 ∈ Q′i,2 holds. But then it again follows

that the automaton A1 contains the cycle (qI1, qI2, qI1), a contradiction. Weconclude that {qI1, qI2} 6⊆ Q′

i,1 ∪Q′i,2 holds.

In summary, if the above inductive construction ends after a finite numberof steps, then the transition sequence (tj,2)0≤j<i+1 consists of a finite num-ber of segments (the last one of which may be infinite), and the sequences(tj,1)0≤j<i+1 and (tj,2)0≤j<i+1 satisfy the constraints given in the lemma bythe above discussion. Otherwise the sequence (tj,2)0≤i<i+1 is formed as theconcatenation of infinitely many finite segments, all except the first one areembedded in the run G1. Because G1 is fin-acceptance synchronized, it is


easy to see that for all f ∈ F1 ∪ F2, there are again infinitely many indices0 ≤ j < ω such that neither tj,1 or tj,2 is an f -transition, and thus all con-straints of the lemma are satisfied also in this case. �

We can now show that, for any automata A1, A2 and A specified inProposition 5.4.3, every word fin-accepted by bothA1 and A2 is also acceptedby the automaton A.

Lemma 5.4.7 Let A1, A2 and A be three alternating automata as specifiedin Proposition 5.4.3. For all w ∈ Lfin(A1) ∩ Lfin(A2), w ∈ Lfin(A) holds.

Proof: Let w ∈ Lfin(A1) ∩ Lfin(A2). By Lemma 5.4.6, there exists an in-

dex 0 ≤ i ≤ ω and two sequences of transitions (tj,1)0≤j<i+1 ∈ ∆i+11 and

(tj,2)0≤j<i+1 ∈ ∆i+12 such that the conditions in the lemma are satisfied; for

all k ∈ {1, 2}, write tj,k = 〈qIk, θj,k, Fj,k, Q′j,k〉. We construct a fin-accepting

semi-run G = 〈V,E, L〉 of A on w.

(Definition of G) For all 0 ≤ j < i and k ∈ {1, 2}, writeQ′j,k\{qI1, qI2} =

{qj,k,1, . . . , qj,k,nj,k} for some 0 ≤ nj,k < ω, and if i < ω holds, write Q′

i,k ={qi,k,1, . . . , qi,k,ni,k

} for some 0 ≤ ni,k < ω. Define the components of G bysetting

• V0def= {v0},

Vj+1def= {vj,1,1, . . . , vj,1,nj,1

}∪{vj,2,1, . . . , vj,2,nj,2}∪

{{vj+1} if j < i∅ otherwise

for all 0 ≤ j < i+ 1, and if i < ω, let Vjdef= ∅ for all i+ 1 < j < ω;

• Edef=

⋃0≤j<i+1

{〈vj , Vj+1〉

}; and

• for all 0 ≤ j < i + 1, let L(vj)def= qI and L(vj,k,`)

def= qj,k,` for all k ∈

{1, 2} and 1 ≤ ` ≤ nj,k. Furthermore, let L(〈vj, Vj+1〉

)def=

⟨qI , (θj,1 ∧

θj,2), Fj,1 ∪Fj,2, (Q′j,1 ∪Q

′j,2 ∪{qI}) \ {qI1, qI2}

⟩for all 0 ≤ j < i, and

if i < ω holds, let L(〈vi, Vi+1〉

)def= 〈qI , (θi,1 ∧ θi,2), ∅, Q

′i,1 ∪Q

′i,2〉.

(G is a fin-accepting semi-run of A on w) We check that G is a fin-accept-ing semi-run of A on w.

(Partitioning) By the definition of G, V0 = {v0} is a singleton, V con-sists of finite disjoint levels, and E is a collection of edges between con-secutive levels of G.

(Causality) Let v ∈ Vj for some 0 ≤ j < ω. Then v either has nooutgoing edges, or v = vj has the unique outgoing edge 〈vj , Vj+1〉 ∈ E.On the other hand, every node v ∈ Vj for some 1 ≤ j < ω is a successorof the node vj−1 ∈ V . It follows that G satisfies the forward semi-causalityand backward causality constraints.

(Consistency of L) Clearly, L(v0) = qI holds. Let 0 ≤ j < i + 1,and let 〈vj, Vj+1〉 ∈ E. Because the transition sequences (tj,1)0≤j<i+1

and (tj,2)0≤j<i+1 satisfy the conditions given in Lemma 5.4.6, w(j) |=(θj,1 ∧ θj,2) holds. Because tj,k is an initial transition of Ak for all k ∈{1, 2}, it follows from the definition of A that ∆ contains a transition


t =⟨qI , (θj,1 ∧ θj,2), F,Q

′⟩, where either F = Fj,1 ∪ Fj,2 and Q′ =

(Q′j,1∪Q

′j,2∪{qI})\{qI1, qI2} hold, or F = ∅ and Q′ = Q′

j,1∪Q′j,2 (by the

conditions given in Lemma 5.4.6, the latter case occurs iff i < ω and j = ihold). From the definition of L it now follows that L

(〈vj , Vj+1〉

)= t,

L(vj) = qI and L(Vj+1) = Q′ hold, and thus the labeling L is consistent.

(Acceptance) If i < ω holds, then B(G) = ∅ holds, and thus G istrivially fin-accepting. Otherwise G contains the unique infinite branchβ =

(〈vj, Vj+1〉

)0≤j<ω

. By the definition of L, the transition L(〈vj, Vj+1〉

)

has the set Fj,1 ∪ Fj,2 as its acceptance conditions for all 0 ≤ j < ω.Because there are, for all acceptance conditions f ∈ F1 ∪ F2, infinitelymany 0 ≤ j < ω such that f /∈ Fj,1 ∪ Fj,2 holds (Lemma 5.4.6), it is easyto see that fin(β) = ∅ holds, and thus G is fin-accepting.

We conclude that G is a fin-accepting semi-run of A on w.

(G can be extended into a fin-accepting run) If v ∈ V is a node with nooutgoing edges in G, then v = vj,k,` holds for some 0 ≤ j < i+1, k ∈ {1, 2}and 1 ≤ ` ≤ nj,k, and L(v) = qj,k,` ∈ Q′

j,k holds. By the assumptions given

in Lemma 5.4.6, wj+1 ∈ Lfin(Aqk) = Lfin(A

q,F1∪F2

k ) = Lfin(Aq) holds for all

q ∈ Q′j,k. Thus, in particular, wj+1 ∈ Lfin(A

L(v)) holds. Because the sameresult holds for all nodes of G with no outgoing edges, the semi-run G can beextended into a fin-accepting run of A on w by Proposition 2.3.14, and thusw ∈ Lfin(A) holds. �

Lemma 5.4.5 and Lemma 5.4.7 show that the automaton A defined fromtwo automata A1 and A2 as specified in Proposition 5.4.3 fin-recognizes ex-actly the set intersection of the languages recognized by A1 and A2. Our lastresult in this section completes the proof of Proposition 5.4.3 by showing thatthe rule defined in the proposition preserves the existence of representativestates for acceptance conditions.

Lemma 5.4.8 Let A1, A2 and A be three alternating automata as specifiedin Proposition 5.4.3. The automaton A is an acceptance closed alternatingautomaton such that if A has an f -state for some f ∈ F , then A has anf -representative state that is f -representative also in all automata An (n ∈{1, 2}) that have an f -state.

Proof: (A is acceptance closed) Let f ∈ F be an acceptance condition, and

let t = 〈q, θ, F,Q′〉 ∈ ∆ be a transition of A such that f ∈ F holds. Clearly,the state q ∈ Q is an f -state of A. Because A is simplified in the senseof Corollary 2.3.20 (Lemma 5.4.4), F 6= ∅ implies that t is a self-loop ofA, i.e., q ∈ Q′ holds, and thus t is f -closed. Because the same reasoningapplies to all acceptance conditions and transitions of A, it follows that A isan acceptance closed alternating automaton.

(A has representative states for acceptance conditions) Let f ∈ F be an

acceptance condition, and let q ∈ Q = Q1 ∪ Q2 ∪ {qI} be an f -state ofA. Then there exists an index n ∈ {1, 2} such that either q ∈ Qn holds,or q = qI , and the initial state of An is an f -state (if no initial transitionof A1 or A2 were an f -transition, then no initial transition of A would be


such a transition, either). In either case, the automaton An contains an f -state, and it follows from the assumptions that the automaton An has anf -representative state qf ∈ Qn. Furthermore, if also A3−n has an f -state, wemay assume that qf ∈ Q1 ∩ Q2 is f -representative in A1 and A2. We showthat qf is f -representative in A; that is, for all f -states q ∈ Q and infinitewords w ∈ (2AP)ω,

• if w ∈ Lffin(Aqf ) ∩ Lfin(A

q) holds, then w ∈ Lffin(Aq) holds, and

• if w ∈ Lffin(Aq) holds, then wi ∈ Lffin(A

qf ) holds for some 0 ≤ i < ω.

Let q ∈ Q be an f -state of A. If q 6= qI holds, then q ∈ Qn holds forsome n ∈ {1, 2}. Because the state qf ∈ Qn is an f -representative state ofAn by assumption, the above two conditions hold in An for all w ∈ (2AP)ω

with respect to the state q. Because Aq′ fin-accepts w (by avoiding an initialf -transition) iff Aq′,Fn (= Aq′

n , Lemma 5.4.4) fin-accepts w (by avoiding aninitial f -transition) for all q′ ∈ Qn, it is easy to see that the conditions holdalso in A with respect to the state q.

If q = qI and w ∈ Lfin(AqI ) hold, then, because obviously Lfin(A

qI ) =Lfin(A) holds (Proposition 2.3.12), w ∈ Lfin(A1) = Lfin(A

qI11 ) and w ∈

Lfin(A2) = Lfin(AqI22 ) hold by Lemma 5.4.5 (and Proposition 2.3.12). By

Proposition 2.3.15, there exist transitions t1 = 〈qI1, θ1, F1, Q′1〉 ∈ ∆1 and

t2 = 〈qI2, θ2, F2, Q′2〉 ∈ ∆2 such that for all n ∈ {1, 2}, w(0) |= θn holds,

and Aq′

n fin-accepts w1 for all q′ ∈ Q′n.

Let w ∈ Lfin(AqI), and let t1 ∈ ∆1 and t2 ∈ ∆2 be initial transitions of

A1 and A2 (respectively) having the above properties. From the definition ofA it follows that A contains the transition t =

⟨qI , (θ1 ∧ θ2), F,Q

′⟩, where

either (i) F = ∅ andQ′ = Q′1∪Q

′2 ({qI1, qI2} 6⊆ Q′

1∪Q′2), or (ii) F = F1∪F2

and Q′ =(Q′

1∪Q′2 ∪{qI}

)\{qI1, qI2} hold ({qI1, qI2} ⊆ Q′

1∪Q′2). Clearly,

because w(0) |= θn holds for all n ∈ {1, 2}, it is easy to see that w(0) |=(θ1 ∧ θ2) holds. We show that the state qf satisfies the criteria required of anf -representative state of A with respect to the state qI .

(w ∈ Lffin(Aqf ) ∩ Lfin(A

qI) implies w ∈ Lffin(AqI )) Suppose that w ∈

Lffin(Aqf ) ∩ Lfin(A

qI) holds. If the transition t is an f -transition of A,then the transition tn is an f -transition for some n ∈ {1, 2}, and thus theinitial state qIn ∈ Qn is an f -state of An. Therefore qf ∈ Qn holds, andit follows by the above discussion that w ∈ Lffin(A

qfn ) ∩ Lfin(A

qInn ) holds.

Because qf is an f -representative state of An, w ∈ Lffin(AqInn ) holds, and

thus we may change the transition tn to another initial transition of An

that does not include the condition f in its acceptance conditions (byapplying Proposition 2.3.15).

We may thus assume that the transition t =⟨qI , (θ1 ∧ θ2), F,Q

′⟩

de-fined above is not an f -transition of A.

Clearly, because q′ ∈ Q′1 ∪ Q′

2 holds for all q′ ∈ Q′ \ {qI}, it follows(by the choice of the transitions t1 and t2) that the subautomaton Aq′

(which coincides with Aq′,F1∪F2

1 or Aq′,F1∪F2

2 ) fin-accepts w1 for all q′ ∈Q′ \ {qI}. If qI ∈ Q′ holds, then {qI1, qI2} ⊆ Q′

1 ∪ Q′2 holds, and thus

w1 ∈ Lfin(AqI1) ∩ Lfin(A

qI2) holds. It now follows by Proposition 2.3.12and Lemma 5.4.7 that w1 ∈ Lfin(A

qI) holds. Therefore, Aq′ fin-accepts


w1 for all q′ ∈ Q′, and because w(0) |= (θ1 ∧ θ2) and f /∈ F hold, itfollows by Proposition 2.3.15 that w ∈ Lffin(A

qI ) holds.

(w ∈ Lffin(AqI) implies wi ∈ Lffin(A

qf ) for some 0 ≤ i < ω) Suppose

that w ∈ Lffin(AqI) holds. Because qI is an f -state of A, qIn is an f -state

of An for some n ∈ {1, 2}. Because w ∈ Lfin(AqInn ) holds, AqIn

n has afin-accepting run G = 〈V,E, L〉 on w. By Proposition 2.3.7, there ex-ists an index 0 ≤ i ≤ ω such that this run contains a chain of edges(ej)0≤j<i+1, ej ∈ E ∩ (Vj × 2Vj+1), labeled with initial transitions ofAn, and if i < ω holds, then the transition L(ei) is not a self-loop. Weclaim that wk ∈ Lffin(A

qInn ) holds for some 0 ≤ k < ω. This is clear if

i < ω holds, because in this case the non-self-loop transition L(ei) hasan empty set of acceptance conditions (An is simplified in the sense of

Corollary 2.3.20), and we may choose kdef= i in this case. Otherwise

(ej)0≤j<i+1 is an infinite branch in G labeled with initial self-loops ofAn. Because G is fin-accepting, it follows that there necessarily existsan index 0 ≤ k < ω such that L(ek) is not an f -transition of An, andwk ∈ Lffin(A

qInn ) holds.

Because qIn is an f -state of An, qf ∈ Qn holds, and because qf is f -representative, wk ∈ Lffin(A

qInn ) implies that (wk)` ∈ Lffin(A

qfn ) holds for

some 0 ≤ ` < ω. Because Lfin(Aqfn ) = Lfin(A

qf ,F1∪F2n ) = Lfin(A

qf )holds, it follows that wk+` ∈ Lffin(A

qf ) holds.

We conclude that qf is an f -representative state of A. By the choice of qf , qfis f -representative also in An (n ∈ {1, 2}) if An contains an f -state. Becausethe same holds for all acceptance conditions f ∈ F , the result follows. �

Proposition 5.4.3 now follows by combining Lemma 5.4.4, Lemma 5.4.5,Lemma 5.4.7 and Lemma 5.4.8. Due to the properties of the automata builtusing the basic translation rules and Proposition 5.4.3, it follows that thetranslation procedure presented in Sect. 3.1 remains correct in the senseof Theorem 3.3.2 if the set of basic translation rules is extended with therule presented in Proposition 5.4.3. Furthermore, because this rule is closedunder the construction of acceptance closed automata with representativestates for their acceptance conditions, the automaton obtained from an LTLformula via the refined translation procedure can be translated into a non-deterministic automaton without introducing new acceptance conditions inthe translation (Corollary 4.3.7). Further effects of using the new translationrule for the ∧ connective will be discussed in Sect. 5.6.

5.5 BINARY TEMPORAL CONNECTIVES

In this section we refine the basic translation rules for the Until connectivesand use them to derive new rules also for the Release connectives. Unlikethe universally applicable translation rule proposed in the previous sectionfor the ∧ connective, however, the rules for the Until connectives applyonly under a certain language containment relationship between the top-level subformulas of an Until formula. The optimized rules for the Untilconnectives nevertheless lead to improved translation rules for the Release


connectives that do not necessitate checking for any language containmentrelationships between top-level subformulas (certain relationships admit fur-ther optimizations, however).

The Until Connectives

Let A1 and A2 be two alternating automata built for the LTL formulas ϕ1 ∈LTLPNF(AP) and ϕ2 ∈ LTLPNF(AP), respectively. To build an automa-ton for a formula of the form (ϕ1 Uϕ2), the basic translation rules for the U

connectives take a new state (the initial state of the automaton to be built)and transform the initial transitions of A1 into self-loops starting from thisstate. Clearly, all initial self-loops of A1 are unrolled into initial transitionsof the compound automaton in the application of the translation rule, andthus the initial state qI1 of A1 will remain reachable from the initial state ofany automaton built from the compound automaton in subsequent transla-tion steps. However, if the languages of ϕ1 and ϕ2 satisfy the language con-tainment relationship L(ϕ2) ⊆ L(ϕ1), it proves to be possible to avoid theintroduction of self-loops having the initial state of A1 in their target states inthe compound automaton by a slight modification to the way in which theinitial self-loops of this automaton are defined. Similarly to the new trans-lation rule defined for the ∧ connective in the previous section, it may bepossible to drop the state qI1 from the final automaton obtained at the end ofthe translation.

The new translation rules for the U connectives are based on the followingresult.

Proposition 5.5.1 Let A1 = 〈2AP , Q1,∆1, qI1,F1〉 and A2 = 〈2AP , Q2,∆2,qI2,F2〉 be two alternating automata satisfying the following constraints:

• A1 and A2 are self-loop alternating automata simplified in the senseof Corollary 2.3.20 (i.e., for all transitions t ∈ ∆1 ∪ ∆2, the set ofacceptance conditions of t is not empty only if t is a self-loop)

• Aq,F1∪F21 = Aq,F2∪F2

2 holds for all states q ∈ Q1 ∩Q2;

• for all indices n ∈ {1, 2}, the automaton An is an acceptance closedalternating automaton, and if An has an f -state for some f ∈ Fn, thenAn has an f -representative state;

• if both A1 and A2 have an f -state for some f ∈ F1 ∩ F2, then A1 andA2 share an f -representative state; and

• Lfin(A2) ⊆ Lfin(A1) holds.

Define the alternating automaton A = 〈2AP , Q,∆, qI ,F〉 obtained from A1

and A2 by setting Qdef= Q1 ∪Q2 ∪ {qI} (where qI is a new state not included

in Q1 ∪Q2), ∆def= ∆1 ∪ ∆2 ∪ ∆′, and F

def= F1 ∪ F2 ∪ F ′, where either

F ′ def= {f} for a new acceptance condition f /∈ F1 ∪ F2, and

∆′ def=

{〈qI , θ, {f}, (Q

′ \ {qI1}) ∪ {qI}〉〈qI1, θ, F,Q′〉 ∈ ∆1

}

∪{〈qI , θ, ∅, Q

′〉〈qI2, θ, F,Q′〉 ∈ ∆2

}


orF ′ def

= ∅, and

∆′ def=

{〈qI , θ, F, (Q

′ \ {qI1}) ∪ {qI}〉〈qI1, θ, F,Q′〉 ∈ ∆1

}

∪{〈qI , θ, ∅, Q

′〉〈qI2, θ, F,Q′〉 ∈ ∆2

}

The automaton A is an acceptance closed self-loop alternating automatonthat is simplified in the sense of Corollary 2.3.20, Aq,Fn = Aq

n holds for alln ∈ {1, 2} and q ∈ Q ∩ Qn, and for all w ∈ (2AP)ω, w ∈ Lfin(A) holdsiff (i) there exists an index 0 ≤ i < ω such that wi ∈ Lfin(A2) holds andwj ∈ Lfin(A1) holds for all 0 ≤ j < i, or (ii) F ′ = ∅, andwi ∈ Lfin(A1) holdsfor all 0 ≤ i < ω. Furthermore, if A has an f -state for some f ∈ F , then Ahas an f -representative state that is f -representative also in all automata An

(n ∈ {1, 2}) that have an f -state.

Similarly to the previous section, we prove Proposition 5.5.1 in severalsteps. We first show that the automaton A has the simple structural propertieslisted in the proposition.

Lemma 5.5.2 Let A1, A2 and A be three alternating automata as specifiedin Proposition 5.5.1. The automaton A is a self-loop alternating automatonsimplified in the sense of Corollary 2.3.20 such that Aq,Fn = Aq

n holds for alln ∈ {1, 2} and q ∈ Q ∩Qn.

Proof: Because A1 and A2 are self-loop alternating automata simplified inthe sense of Corollary 2.3.20, it is easy to see that also A is the same kind ofself-loop alternating automaton (all loops introduced into A by the definitionare self-loops, and all non-self-loop transitions have an empty set of accep-tance conditions). Let q ∈ Q ∩Qn for some n ∈ {1, 2}. Then q 6= qI holds,and all transitions of the subautomaton Aq are transitions of An. Therefore,the acceptance conditions of these transitions are subsets of Fn, and it followsthat Aq,Fn = Aq

n holds. �

The following lemma shows that the automaton A fin-recognizes the de-sired language. (This result is analogous to Lemma 3.3.1.)

Lemma 5.5.3 Let A1 = 〈2AP , Q1,∆1, qI1,F1〉, A2 = 〈2AP , Q2,∆2, qI2,F2〉 and A = 〈2AP , Q,∆, qI ,F〉 be three alternating automata such thatLfin(A2) ⊆ Lfin(A1) and qI /∈ Q1 ∪ Q2 hold, and Q (∆, F ) is defined fromQ1 and Q2 (∆1 and ∆2, F1 and F2 and F ′) as specified in Proposition 5.5.1.For all w ∈ (2AP)ω,

A fin-accepts w iff there exists an index 0 ≤ i < ω such that A2 fin-accepts wi, and for all 0 ≤ j < i, A1 fin-accepts wj

orF ′ = ∅, and A1 fin-accepts wi for all 0 ≤ i < ω.

Proof: (Only if) Let w ∈ Lfin(A), and let G = 〈V,E, L〉 be a fin-accepting

run of A on w. By Proposition 2.3.7, there exists an index 0 ≤ i ≤ ω anda chain of edges (ej)0≤j<i+1, ej ∈ E ∩ (Vj × 2Vj+1), such that the transitionL(ej) ∈ ∆ is an initial self-loop of A for all 0 ≤ j < i, and if i < ω holds,then L(ei) ∈ ∆ is an initial transition of A that is not a self-loop.


We first show that if wj ∈ Lfin(A1) holds for some 0 ≤ j < i + 1, thenwk ∈ Lfin(A1) holds for all 0 ≤ k ≤ j. Let 0 ≤ j < i+ 1 be an index suchthat wj ∈ Lfin(A1) holds. The implication holds trivially if j = 0. Assumethat j ≥ 1 holds, and wk ∈ Lfin(A1) holds for some 1 ≤ k ≤ j. Because

k−1 ≤ j−1 < i holds, the transition tdef= L(ek−1) = 〈qI , θ, F,Q

′〉 ∈ ∆ is aninitial self-loop of A, and becauseG is a fin-accepting run of A, w(k−1) |= θholds, and wk ∈ Lfin(A

q′) holds for all q′ ∈ Q′ (Proposition 2.3.9). Because tis an initial self-loop of A, it follows from the definition of A that the automa-ton A1 has an initial transition 〈qI1, θ, F1, Q

′1〉 ∈ ∆1 for some F1 ⊆ F1 and

Q′1 ⊆ Q1 such thatQ′ =

(Q′

1\{qI1})∪{qI} holds. Becausewk ∈ Lfin(A1) =

Lfin(AqI11 ) (Proposition 2.3.12) holds by the assumption, it follows that, for

all q′ ∈ Q′1, wk ∈ Lfin(A

q′) = Lfin(Aq′,F1) = Lfin(A

q′

1 ) (Lemma 5.5.2)holds, and because w(k − 1) |= θ holds, it follows by Proposition 2.3.15 thatwk−1 ∈ Lfin(A1) holds. By induction on decreasing values of k, it followsthat wk ∈ Lfin(A1) holds for all 0 ≤ k ≤ j.

(i < ω) If i < ω holds, then the transition L(ei) = 〈qI , θ, F,Q′〉 ∈ ∆ is

not an initial self-loop of A. By the definition of A, L(ei) corresponds to aninitial transition 〈qI2, θ, F2, Q

′〉 ∈ ∆2 of A2 for some F2 ⊆ F2, and Q′ ⊆ Q2

holds. Again, because G is a fin-accepting run of A, w(i) |= θ holds, and

for all q′ ∈ Q′, wi+1 ∈ Lfin(Aq′) = Lfin(A

q′,F2) = Lfin(Aq′

2 ) (Lemma 5.5.2)holds. By Proposition 2.3.15, it follows that wi ∈ Lfin(A2) holds. BecauseLfin(A2) ⊆ Lfin(A1) holds by assumption, also A1 fin-accepts wi. By theabove inductive argument, wk ∈ Lfin(A1) holds for all 0 ≤ k ≤ i, and theresult follows.

(i = ω) If i = ω holds, then L(ej) is an initial self-loop of A for all 0 ≤

j < ω. Then necessarily F ′ = ∅ holds, since otherwise fin((ej)0≤j<ω

)6= ∅

would hold, contrary to the assumption thatG is fin-accepting. Because eachinitial self-loop of A corresponds to an initial transition of A1, then the resultfollows immediately by the above inductive argument if the initial transitioncorresponding to L(ej) is not an initial self-loop of A1 for infinitely many0 ≤ j < ω (if L(ej) corresponds to an initial transition of A1 that is not aself-loop of A1, it is straightforward to check that the index j can be used asthe base case for the induction).

Otherwise there exists an index 0 ≤ j < ω such that the transitionL(ej+k)(which is an initial self-loop of A) corresponds to an initial self-loop of A1 forall 0 ≤ k < ω. Let ej = 〈v0, V

′〉 for some v0 ∈ Vj and V ′ ⊆ Vj+1, and let

L(ej+k) = 〈qI , θk, Fk, Q′k〉, where w(j + k) |= θk holds for all 0 ≤ k < ω.

Write Q′k \ {qI} = {qk,1, qk,2, . . . , qk,nk

} (0 ≤ nk < ω) for all 0 ≤ k < ω.Define the graph G′ = 〈V ′, E ′, L′〉, where

• V ′0

def= {v0}, V ′

k+1def= {vk+1, vk,1, . . . , vk,nk

} for all 0 ≤ k < ω,

• E ′ def=

⋃0≤k<ω

{〈vk, V

′k+1〉

},

• L′(vk)def= qI1, L′(vk,`)

def= qk,` for all 0 ≤ k < ω and 1 ≤ ` ≤ nk, and

L′(〈vk, V

′k+1〉

)def=

⟨qI1, θk, Fk, (Q

′k \ {qI}) ∪ {qI1}

⟩for all 0 ≤ k < ω.

G′ is a fin-accepting semi-run of A1 on wj:


(Partitioning) V ′0 = {v0} is a singleton, and V ′ is partitioned into dis-

joint finite levels (with edges only between successive levels).

(Causality) Let v ∈ V ′k for some 0 ≤ k < ω. Then v either has no

outgoing edges, or v = vk, in which case v has the unique outgoing edge〈v, V ′

k+1〉 ∈ E ′. On the other hand, each node v ∈ V ′k (1 ≤ k < ω) is

a successor of the node vk−1 ∈ V ′k−1 in G′. It follows that G′ satisfies the

forward semi-causality and backward causality constraints.

(Consistency of L′) Clearly, L′(v0) = qI1 holds. Let e = 〈vk, V′k+1〉 ∈

E for some 0 ≤ k < ω. Because the transition L(ej+k) = 〈qI , θk, Fk, Q′k〉

is a self-loop of A that corresponds to an initial self-loop of A1 and F ′ = ∅holds, it follows from the definition of A that ∆1 contains the transition⟨qI1, θk, Fk, (Q

′k \ {qI}) ∪ {qI1}

⟩= L′(e) =

⟨L′(vk), θk, Fk, L(V ′

k+1)⟩.

Furthermore, because G is a run of A, w(j+k) = wj(k) |= θk holds, andthus the labeling L′ is consistent.

(Acceptance) Clearly, B(G′) contains the unique infinite branch βdef=

(e′k)0≤k<ω =(〈vk, V

′k+1〉

)0≤k<ω

. Because the transition L′(e′k) inherits its

acceptance conditions from the transition L(ej+k) for all 0 ≤ k < ω, itfollows that fin(β) = fin

((e′k)0≤k<ω

)= fin

((ej+k)0≤k<ω

)= ∅, because

G is a fin-accepting run of A on w. It follows that G′ is a fin-acceptingsemi-run of A1 on wj.

Let v ∈ V ′ be a node with no outgoing edges in G′. Then v = vk,` holds

for some 0 ≤ k < ω, 1 ≤ ` ≤ nk, and L′(v) = qk,` ∈ Q′k \ {qI} ⊆ Q1.

Because G is a fin-accepting run of A on w and ej+k ∈ E and L(ej+k) =

〈qI , θk, Fk, Q′k〉 hold, it follows that w(j+ k) |= θk holds, and Aq′ fin-accepts

wj+k+1 = (wj)k+1 for all q′ ∈ Q′k. In particular, (wj)k+1 ∈ Lfin(A

qk,`) =Lfin(A

qk,`,F1) = Lfin(Aqk,`

1 ) holds, and because v is arbitrary, G′ can be ex-tended into a fin-accepting run of A1 on wj by Proposition 2.3.14.

Since each level of the fin-accepting run G′ includes a node labeled withthe initial state of A1, it follows by Proposition 2.3.9 that A1 fin-accepts(wj)k = wj+k for all 0 ≤ k < ω. By the inductive argument given inthe beginning of the proof, A1 fin-accepts wk also for all 0 ≤ k ≤ j, and thusA1 fin-accepts wk for all 0 ≤ k < ω.

(If) The result follows in this direction by an obvious modification of the

proof of the corresponding direction in Lemma 3.3.1 (when defining non-empty levels of a run of A on w, do not include nodes labeled with the stateqI1 to any level with index less than i+1 to make it possible to label the chainof edges that emerges with initial transitions of A in a consistent way). �

To complete the proof of Proposition 5.5.1, we show that the translationrule defined in the proposition preserves acceptance closure and the exis-tence of representative states for acceptance conditions.

Lemma 5.5.4 Let A1, A2 and A be three alternating automata as specifiedin Proposition 5.5.1. The automaton A is an acceptance closed alternatingautomaton such that if A has an f -state for some f ∈ F , then A has anf -representative state that is f -representative also in all automata An (n ∈{1, 2}) that have an f -state.


Proof: (A is acceptance closed) Because A1 and A2 are acceptance closed

automata, it is easy to see that every transition t ∈ ∆1 ∪∆2 is f -closed for allf ∈ F . Clearly, also every initial transition of A is f -closed for all f ∈ F : ifA has an initial f -transition, then this transition is a self-loop of A and thusincludes the f -state qI in its target states.

(A has representative states for acceptance conditions) Let f ∈ F be an

acceptance condition, and let q ∈ Q = Q1 ∪ Q2 ∪ {qI} be an f -state of A.If f /∈ F1 ∪ F2 holds, then it follows from the definition of A that q = qIholds. Therefore, A has a unique f -state in this case, and this state is triviallyan f -representative state of A.

Otherwise, if f ∈ F1 ∪ F2 holds, then q ∈ Qn holds for some n ∈ {1, 2},or q = qI , and the initial state qI1 of A1 is an f -state (otherwise qI wouldnot be an f -state). In either case, one of the automata A1 and A2 containsan f -state, and it follows from the assumptions in Proposition 5.5.1 that thisautomaton contains an f -representative state qf . (If both A1 and A2 con-tain an f -state, we may assume that the state qf is f -representative in bothautomata.) We show that qf is an f -representative state of A.

Let q ∈ Q be an f -state of A, and let w ∈ (2AP)ω. If q ∈ Qn holds forsome n ∈ {1, 2}, then it is straightforward to check that the state qf satisfiesthe two conditions required of an f -representative state with respect to the f -state q (Sect. 4.3.3), because qf is an f -representative state of An, and Aq′ fin-acceptsw (by avoiding an initial f -transition) iff Aq′,Fn (= Aq′

n , Lemma 5.5.2)fin-accepts w (by avoiding an initial f -transition) for all q′ ∈ Qn.

Otherwise, if q = qI holds, it follows that the initial state qI1 of A1 is anf -state, and qf ∈ Q1 is an f -representative state of A1. We check that theproperties required of an f -representative state of A hold for qf also in thiscase.

If w ∈ Lfin(AqI ) holds, then, because the automata AqI and A fin-rec-

ognize the same language (Proposition 2.3.12), w ∈ Lfin(A) holds, and itfollows by Lemma 5.5.3 that there exists an index 0 ≤ i ≤ ω such thatwj ∈ Lfin(A1) (= Lfin(A

qI11 )) holds for all 0 ≤ j < i, and if i < ω holds,

then wi ∈ Lfin(A2) (= Lfin(AqI22 )) holds.

(w ∈ Lffin(Aqf ) ∩ Lfin(A

qI) implies w ∈ Lffin(AqI )) Suppose that w ∈

Lffin(Aqf ) ∩ Lfin(A

qI ) holds, and let 0 ≤ i ≤ ω be the index definedabove.

If i ≥ 1 holds, then w0 = w ∈ Lfin(AqI11 ) holds, and it is easy

to see that also w1 ∈ Lfin(A) = Lfin(AqI ) holds. Because qf ∈ Q1

holds, Aqf fin-accepts w by avoiding an initial f -transition iff Aqf ,F1 (=Aqf1 , Lemma 5.5.2) fin-accepts w by avoiding an initial f -transition, and

it follows that w ∈ Lffin(Aqf1 ) ∩ Lfin(A

qI11 ) holds. Because qf is an f -

representative state of A1, w ∈ Lffin(AqI11 ) holds. By Proposition 2.3.15,

the automaton A1 has an initial transition 〈qI1, θ, F,Q′〉 ∈ ∆1 such that

w(0) |= θ and f /∈ F hold, and w1 ∈ Lfin(Aq1) = Lfin(A

q,F1 ) = Lfin(A

q)holds for all q ∈ Q′. By the definition of A, A has the initial transition⟨qI , θ, F, (Q

′ \ {qI1}) ∪ {qI}⟩∈ ∆. It now follows that Aq fin-accepts w1

for all q ∈ (Q′ \ {qI1}) ∪ {qI}, and because w(0) |= θ and f /∈ F hold, itfollows by Proposition 2.3.15 that w ∈ Lffin(A) = Lffin(A

qI) holds.If i = 0, then w0 = w ∈ Lfin(A2) holds. By Proposition 2.3.15,


the automaton A2 has an initial transition 〈qI2, θ, F,Q′〉 ∈ ∆2 such that

w(0) |= θ holds, and Aq2 fin-accepts w1 for all q ∈ Q′. In this case the

automaton A has the initial transition 〈qI , θ, ∅, Q′〉 ∈ ∆, and it is easy to

see that w1 ∈ Lfin(Aq2) = Lfin(A

q,F2 ) = Lfin(A

q) holds for all q ∈ Q′. ByProposition 2.3.15, it follows that A fin-accepts w by avoiding an initialf -transition, and thus w ∈ Lffin(A) = Lffin(A

qI) holds also in this case.

(w ∈ Lffin(AqI) implies wj ∈ Lffin(A

qf ) for some 0 ≤ j < ω) Assume

that w ∈ Lffin(AqI ) holds, and let 0 ≤ i ≤ ω be the index defined above.

Clearly, w0 ∈ Lfin(A1) holds if i ≥ 1. Because Lfin(A2) ⊆ Lfin(A1) holdsby the assumptions in Proposition 5.5.1, however, w0 ∈ Lfin(A1) actuallyholds also if i = 0 (in this case w0 ∈ Lfin(A2) ⊆ Lfin(A1) holds). Itfollows that the automaton A1 fin-accepts w. Similarly to Lemma 5.4.8, itis straightforward to show (by applying Proposition 2.3.7 to a fin-acceptingrun of A1 on w) that there exists an index 0 ≤ k < ω such that wk ∈Lffin(A1) holds, and because the state qf is an f -representative state of A1,it follows that (wk)` = wk+` ∈ Lffin(A

qf1 ) = Lffin(A

qf ) holds for some0 ≤ ` < ω.

We conclude that qf is an f -representative state of A that is f -representativealso in every automaton An (n ∈ {1, 2}) that has an f -state. Because thesame holds for all acceptance conditions f ∈ F1 ∪ F2, the result follows. �

Proposition 5.5.1 can be used directly in the proof of Theorem 3.3.2 toshow that the procedure for translating LTL formulas into alternating au-tomata remains correct if the set of translation rules is extended with specialrules for the Us and Uw connectives shown in the upper half of Table 5.3 (seealso Fig. 5.6 (b) and Fig. 5.6 (c)). Furthermore, because the automata builtusing the rules are acceptance closed automata with representative states forall of their acceptance conditions f for which they have an f -state, the trans-lation procedure extended with the new rules yields automata which can betranslated into nondeterministic automata without introducing new accep-tance conditions (Corollary 4.3.7).

The Release Connectives

The rules for the Rs and Rw connectives can again be obtained by combiningthe (original) ∧ rule with the new rules for the corresponding Until connec-tives. In particular, due to the identities

(ϕ1 Rs ϕ2) ≡((ϕ2 Us (ϕ1 ∧ ϕ2)

)and (ϕ1 Rw ϕ2) ≡

((ϕ2 Uw (ϕ1 ∧ ϕ2)

)

and the fact that L((ϕ1 ∧ ϕ2)

)= L(ϕ1) ∩ L(ϕ2) ⊆ L(ϕ2) always holds

for all pairs of LTL formulas ϕ1, ϕ2 ∈ LTL(AP), it follows that the lan-guage containment assumption in Proposition 5.5.1 holds trivially betweenthe top-level subformulas of the Until formulas corresponding to the Releaseformulas. This fact makes it possible to apply the new Until rules in thederivation of the Release rules, and thus the original translation rules for theRelease connectives can be replaced with ones that allow a slightly simplifiedtransition structure for the compound automaton.

Finally, the identities of Table 5.1 allow a further improvement in thetranslation of Release formulas of the form (ϕ1 Rϕ2), this time under the


Table 5.3: Refined translation rules for the binary temporal connectives (continua-tion of Table 3.1)

◦ F◦ ∆◦

{⟨qI , θ1, {f}, (Q

′1 \ {qI1}) ∪ {qI}

⟩〈qI1, θ1, F1, Q

′1〉 ∈ ∆1

}

∪{〈qI , θ2, ∅, Q

′2〉〈qI2, θ2, F2, Q

′2〉 ∈ ∆2

}if Lfin(A2) ⊆ Lfin(A1)

Us {f} {⟨qI , θ1, {f}, Q

′1 ∪ {qI}

⟩〈qI1, θ1, F1, Q

′1〉 ∈ ∆1

}

∪{〈qI , θ2, ∅, Q

′2〉〈qI2, θ2, F2, Q

′2〉 ∈ ∆2

}otherwise

{⟨qI , θ1, F1, (Q

′1 \ {qI1}) ∪ {qI}

⟩〈qI1, θ1, F1, Q

′1〉 ∈ ∆1

}

∪{〈qI , θ2, ∅, Q

′2〉〈qI2, θ2, F2, Q

′2〉 ∈ ∆2


Uw ∅ {⟨qI , θ1, ∅, Q

′1 ∪ {qI}

⟩〈qI1, θ1, F1, Q

′1〉 ∈ ∆1

}

∪{〈qI , θ2, ∅, Q

′2〉〈qI2, θ2, F2, Q

′2〉 ∈ ∆2

}otherwise

{⟨qI , θ2, {f}, (Q

′2 \ {qI2}) ∪ {qI}

⟩〈qI2, θ2, F2, Q

′2〉 ∈ ∆2

}

∪{〈qI , θ1, ∅, Q

′1〉〈qI1, θ1, F1, Q

′1〉 ∈ ∆1


Rs {f} {⟨qI , θ2, {f}, (Q

′2 \ {qI2}) ∪ {qI}

⟩〈qI2, θ2, F2, Q

′2〉 ∈ ∆2

}

∪

{⟨qI , (θ1 ∧ θ2), ∅, Q

′1 ∪Q

′2

⟩ 〈qI1, θ1, F1, Q′1〉 ∈ ∆1,

〈qI2, θ2, F2, Q′2〉 ∈ ∆2

}otherwise

{⟨qI , θ2, F2, (Q

′2 \ {qI2}) ∪ {qI}

⟩〈qI2, θ2, F2, Q

′2〉 ∈ ∆2

}

∪{〈qI , θ1, ∅, Q

′1〉〈qI1, θ1, F1, Q

′1〉 ∈ ∆1


Rw ∅ {⟨qI , θ2, F2, (Q

′2 \ {qI2}) ∪ {qI}

⟩〈qI2, θ2, F2, Q

′2〉 ∈ ∆2

}

∪

{⟨qI , (θ1 ∧ θ2), ∅, Q

′1 ∪Q

′2

⟩ 〈qI1, θ1, F1, Q′1〉 ∈ ∆1,

〈qI2, θ2, F2, Q′2〉 ∈ ∆2

}otherwise


θ1

A1

θ2

θ3

A2qI1 qI2

(a)

θ1A1θ2

θ2

θ3

A2

qI

qI2qI1

θ1

θ3

UwLfin(A2)⊆Lfin(A1)

(b)

θ1

θ1

A1θ2

θ2

θ3

A2

qI

qI1 qI2

θ3

UwLfin(A2) 6⊆Lfin(A1)

(c)

θ1

A1

θ2

A2

qI

qI1 qI2

θ2

θ3

θ1

θ3

RwLfin(A1)⊆Lfin(A2)

(d)

θ1

A1

θ2

θ2

θ3

A2

qI

qI1 qI2

(θ1∧θ2)

(θ1∧θ3)

θ3

RwLfin(A1) 6⊆Lfin(A2)

(e)

Fig. 5.6: Automata built using the refined translation rules for the weak binarytemporal connectives. (a) Two component automata A1 and A2; (b) Automa-ton built from A1 and A2 with the Uw translation rule under the assumptionLfin(A2) ⊆ Lfin(A1); (c) Automaton built from the component automata using theUw rule without the language containment assumption; (d) Automaton built fromA1 and A2 with the Rw translation rule under the assumption Lfin(A1) ⊆ Lfin(A2);(e) Automaton built from the component automata using the Rw rule without the as-sumption. The initial transitions of the automata built for the corresponding strongconnectives have the same target states as the initial transitions of the above au-tomata; however, all the initial self-loops of the automata for the strong connectivesshare an acceptance condition that is not included in either of the component au-tomata


p1

Ap1

p2

Ap2

p1

A(⊥ Rw p1)

p1

p1

p2

A((⊥ Rw p1) Us p2)

p1p2

(a) (b) (c)

Fig. 5.7: The refined Until translation rules cannot be universally substituted for theoriginal ones. (a) Automata Ap1, Ap2 and A(⊥Rw p1) built for the formulas p1, p2,and (⊥Rw p1), respectively; (b) Automaton built for the formula

((⊥Rw p1)Us p2

)

from A(⊥Rw p1) and Ap2 with the original translation rules; (c) Automaton built fromthe same automata with the refined translation rules, ignoring the requirement onthe language containment relationship between the languages fin-accepted by theseautomata

language containment relationship L(ϕ1) ⊆ L(ϕ2). Because (ϕ1 Rs ϕ2) ≡(ϕ2 Us ϕ1) and (ϕ1 Rw ϕ2) ≡ (ϕ2 Uw ϕ1) hold in this case, and because theassumption that L(ϕ1) ⊆ L(ϕ2) holds implies the language containmentassumption in Proposition 5.5.1 for the Until formulas, the translation of theRelease formulas reduces in this case to the translation of Until formulasusing the new translation rules. (As noted in Sect. 5.3, we may not needto apply a rule explicitly if we are able to reuse an automaton built for anUntil formula.) Using an Until rule for the translation in this case removesthe need to collect all pairs of initial transitions of the component automatacorresponding to the subformulas ϕ1 and ϕ2, which reduces the worst-casenumber of initial transitions in the compound automaton. The new rules forthe Release connectives are shown in the lower half of Table 5.3; see alsoFig. 5.6 (d) and Fig. 5.6 (e) for illustration.

We end this section with an example to show that the language contain-ment assumption used in the new translation rules for the Us or Uw connec-tives cannot be lifted in the general case.

Example 5.5.5 Figure 5.7 shows two automata built for the LTL formula

((Gp1) Us p2

)≡

((⊥Rw p1) Us p2

)∈ LTL

({p1, p2}

),

where the automaton in Fig. 5.7 (b) is obtained from the formula using theoriginal translation rules (with the usual restriction of the automaton to statesreachable from its initial state), whereas the automaton in Fig. 5.7 (c) is (er-roneously) built from the formula by applying the new rules, ignoring theprecondition on the language containment relationship between its top-levelsubformulas (⊥Rw p1) and p2; clearly, Lfin(Ap2) (= L(p2)) 6⊆ Lfin(A(⊥Rw p1))(= L(Gp1)) holds in this case. It is easy to see that the automaton shown inFig. 5.7 (c) fin-accepts the word {p1}{p2}

ω, which is, however, not a modelof the LTL formula

((Gp1) Us p2

). �


Ap1

p1

Ap2

p2

A>

>

A⊥

(a)

>p1

A(>Us p1)

> p2

A(>Us p2)

(b)

>p1

A(⊥Rw (>Us p1))

p2>

A(⊥Rw (>Us p2))

(c)

(> ∧>) (> ∧ p2)

(p1 ∧ p2) (p1 ∧ >)

Aϕ

(d)

> p2

(p1 ∧ p2) p1

Aϕ (with simplified transition guards)

(e)

Fig. 5.8: Building an automaton for the LTL formula ϕdef

≡((

⊥Rw (>Us p1))∧

(⊥Rw (>Us p2)

))using the refined translation rules. (a) Automata for the atomic

subformulas of ϕ; (b) Automata for the formulas (>Us p1) and (>Us p2); (c) Au-tomata for the formulas

(⊥Rw (>Us p1)

)and

(⊥Rw (>Us p2)

); (d) Automaton for

the formula ϕ; (e) The automaton obtained from (e) via transition guard simplifica-tion

5.6 DISCUSSION

In this section we illustrate and discuss some effects of adding the new transla-tion rules to the basic procedure for translating LTL formulas into alternatingautomata.

5.6.1 Translation Example Revisited

We start with an example to illustrate the behavior of the new translationrules.

Example 5.6.1 Consider again the LTL formula

(ϕ ∨ ψ)def=

[((⊥Rw (>Us p1)

)∧

(⊥Rw (>Us p2)

))∨

(p3 Rw (p4 Rs p5)

)]

from Ex. 3.1.1; as in Ex. 3.1.1, we translate the formula into an automatonby dealing with its top-level subformulas ϕ and ψ separately.

The basic rules for the atomic subformulas of ϕ yield again the automatashown in Fig. 5.8 (a). Because Lfin(Ap1) ⊆ Lfin(A>) and Lfin(Ap2) ⊆Lfin(A>) obviously hold, we can apply the new rule for the Us connectiveto build the automata for the formulas (>Us p1) and (>Us p2) as shown inFig. 5.8 (b). (Actually, because the automaton A> has no initial self-loops,we obtain in this case the same compound automata as before.)

Because Lfin(⊥) = ∅ holds, the language fin-recognized by A⊥ is triviallya subset of the language fin-recognized by any automaton. Therefore, by


p3

Ap3

p4

Ap4

p5

Ap5

p5(p4 ∧ p5)

A(p4 Rs p5)

p5 (p4 ∧ p5)

(p3 ∧ p5)

(p3 ∧ (p4 ∧ p5)

)

p5(p4 ∧ p5)

Aψ

(a) (b) (c)

Fig. 5.9: Building an automaton for the formula ψdef

≡(p3 Rw (p4 Rs p5)

)using the

refined translation rules. (a) Automata for the atomic subformulas of ψ; (b) Automa-ton for the formula (p4 Rs p5); (c) Automaton for the formula ψ

using the appropriate Rw rule that makes use of this language containmentassumption, we obtain the automata shown in Fig. 5.8 (c) for the subformu-las

(⊥Rw (>Us p1)

)and

(⊥Rw (>Us p2)

). We then apply the new rule for

the ∧ connective (Table 5.2) to build an automaton for the formula ϕ. Asshown in Fig. 5.8 (d), merging all pairs of initial self-loops of the compo-nent automata yields a single-state automaton for the formula ϕ instead ofthe five-state automaton (Fig. 3.2 (d), p. 46) built using the basic translationrules. Figure 5.8 (e) shows the same automaton after simplifying its transitionguards as described in Sect. 5.1.2.

We then repeat the translation for the formula ψ. As before, we start fromthe automata for the atomic formulas (Fig. 5.9 (a)). Because Lfin(Ap4) 6⊆Lfin(Ap5) holds, we use the universally applicable version of the optimizedtranslation rule for the Rs connective to define an automaton for the formula(p4 Rs p5) (Fig. 5.9 (b)). The corresponding rule for the Rw connective is ap-plied to build an automaton for the formula

(p3 Rw (p4 Rs p5)

)(Fig. 5.9 (c)).

In comparison to the automaton obtained in Ex. 3.1.1 (Fig. 3.3 (c), p. 46),the refined translation rules allow us to reduce the number of target states inone transition of the automaton.

Finally, we build an automaton for the formula[((

⊥Rw (>Us p1))∧

(⊥Rw (>Us p2)

))∨

(p3 Rw (p4 Rs p5)

)]

by applying the ∨ rule as shown in Fig. 5.10. This automaton has three statesless than the automaton built for the same formula in Ex. 3.1.1 (cf. Fig. 3.4,p. 47). Additionally, no transition in the automaton built using the refinedrules has more than one target state, which is not the case for the automatonobtained using the basic translation rules. �

5.6.2 Comparison of the Basic and the Refined Translation Rules

The refined translation rules behave very much like the basic rules given inSect. 3.1. For example, because each new translation rule takes a new initialstate for the automaton to be built, the correspondence between states in theautomaton and node subformulas of a given formula ϕ ∈ LTLPNF(AP) ispreserved, and because no new rule changes the transition structure of the


>>

p2

p2

(p1 ∧ p2)

(p1 ∧ p2) p1

p1

p5

p5

(p4 ∧ p5)

(p4 ∧ p5)

(p3 ∧ p5)(p3 ∧ p5)

(p3 ∧ (p4 ∧ p5)

)

(p3 ∧ (p4 ∧ p5)

)

p5(p4 ∧ p5)

Fig. 5.10: Automaton constructed for the LTL formula[((

⊥Rw (>Us p1))∧

(⊥Rw (>Us p2)

))∨

(p3 Rw (p4 Rs p5)

)]using the refined translation rules

component automata to which the rule is applied, the compound automatawill again be self-loop alternating automata. Also all transition guards are stillformed as conjunctions of atomic formulas.

The main difference between the original and the new rules concerns thehandling of acceptance conditions. Recall from the discussion in Sect. 3.1.1that, in any automaton built using the original translation rules, every transi-tion with a nonempty set of acceptance conditions always starts from a statecorresponding to a strong temporal eventuality subformula. Furthermore, allself-loops starting from such a state share the same acceptance condition thatis nevertheless unique in the sense that it is never included in the accep-tance conditions of any transition starting from another state in the automa-ton. The refined rules, however, change this behavior: although the rules forthe strong temporal connectives still introduce new acceptance conditionsas before, the rules for the weak temporal connectives and the ∧ connec-tive may cause an initial transition of a compound automaton to inherit itsacceptance conditions from a transition in a component automaton. Intu-itively, an acceptance condition may thus propagate from transitions definedduring the translation towards transitions defined later in the translation viachains of states corresponding to nested weak eventualities or conjunctions inthe given LTL formula. The “oldest” state of each such chain corresponds toa strong temporal eventuality subformula or the conjunction of binary tem-poral formulas. Therefore, an automaton built using the new rules may con-tain self-loops that share a common acceptance condition even though theyhave different source states; additionally, as illustrated in Ex. 5.6.1, appli-cations of the new rule for the ∧ connective may result in states with self-loops associated with multiple acceptance conditions. Nevertheless, becausethe new rules preserve the acceptance closure of transitions and the exis-tence of representative states for acceptance conditions (Lemma 5.4.8 andLemma 5.5.4; as a matter of fact, a state corresponding to a strong temporaleventuality will remain representative for the corresponding acceptance con-dition throughout the translation), all automata built using the rules can stillbe translated into nondeterministic automata using the simple constructionof Theorem 4.3.2 (or the construction of Proposition 4.5.2, which exploitssyntactic implications).


Clearly, changing the translation rules necessitates a reconsideration ofthe upper bounds obtained in Sect. 3.2 for the sizes of the components ofa self-loop alternating automaton corresponding to an LTL formula ϕ ∈LTLPNF(AP). Recall that the contribution of any automaton built for somesubformula ψ ∈ NSub(ϕ) to the number of states in the automaton for ϕdepends on the number of states reachable from the initial state of the au-tomaton for ψ; obviously, this fact still holds when using the new translationrules.

In the worst case, the original translation rules for the binary temporalconnectives create compound automata in which both initial states of thecomponent automata are reachable from the initial state of the compoundautomaton. (This worst case occurs whenever both component automatahave initial self-loops.) Although the new translation rules sometimes avoidintroducing transitions to the initial state of one of the component automataeven if this automaton has an initial self-loop, it is easy to see that the worstcase cannot be completely avoided since the rules for the Until connectivesunder a negative language containment assumption coincide with the origi-nal translation rules. Nevertheless, the number of states reachable from theinitial state of an automaton built for a binary pure temporal formula usingthe new rules will never exceed the corresponding number of states in an au-tomaton built for the same formula using the original rules, and thus the sizelimit of Corollary 3.2.2 remains valid for a translation procedure extendedwith the new rules for the binary temporal connectives.

The reasoning used in Sect. 3.2 to arrive at Proposition 3.2.1 does not ap-ply, however, to the new translation rule for the ∧ connective. Because thisrule may introduce initial self-loops to a compound automaton, the initialstate of this compound automaton may become reachable from itself; obvi-ously, this never occurs when using the original translation rule for the ∧connective. Because of these initial self-loops, the initial state of the com-pound automaton will thus remain reachable also from any automaton ob-tained from this compound automaton using further translation rules. Con-sequently, the upper bound given in Corollary 3.2.2 for the size of an au-tomaton corresponding to an LTL formula ϕ ∈ LTL(AP) is not valid fora translation procedure extended with the new rule for the ∧ connective; astraightforward correction to this result necessitates taking also all formulas ofthe form (ϕ1∧ϕ2) ∈ Sub(ϕ) into account. This version of the result is, how-ever, less optimal than the original one. As a matter of fact, it is easy to findexamples where the original translation rule outperforms the new rule as faras the number of states reachable from the initial state of the final automatonis concerned.

Example 5.6.2 Consider translating the formula

((Fp1 ∧ Fp2) ∨ p3

)≡

(((>Us p1) ∧ (>Us p2)

)∨ p3

)∈ LTL

({p1, p2, p3}

)

into an automaton using both the original and the new translation rules. Ap-plying the original ∧ rule to the automata built for the formulas (>Us p1)and (>Us p2) (and then simplifying the guards of transitions) results in theautomaton shown in Fig. 5.11 (a). On the other hand, using the new transla-tion rule to build an automaton for the same formula will cause the self-loops


PSfrag

>>

>

p1

p1

p2

p2

(p1 ∧ p2)

>>

>

p1

p1

p2

p2

(p1 ∧ p2)

(a) (b)

>

>>p1

p1

p2

p2

(p1 ∧ p2) p3

>

>>

>

p1

p1

p1

p2

p2

p2

(p1 ∧ p2)

(p1 ∧ p2)

p3

(c) (d)

Fig. 5.11: Greedy application of the refined translation rule for the ∧ connectivemay result in alternating automata with a suboptimal number of states. (a)–(b) Au-tomata built for the formula (Fp1 ∧ Fp2) using the original (a) and refined rules (b),respectively; (c)–(d) Automata built for the formula

((Fp1 ∧ Fp2) ∨ p3

)by applying

the ∨ translation rule to the automata (a) and (b), respectively

starting from the initial states of the component automata to be merged intoan initial self-loop of the compound automaton (Fig. 5.11 (b)).

Applying the ∨ rule to the automaton built using the original rules resultsin the automaton shown in Fig. 5.11 (c). Clearly, the initial state of theautomaton shown in Fig. 5.11 (a) is not reachable from the initial state of thisautomaton. On the other hand, applying the same rule to the automaton inFig. 5.11 (b) results in “unrolling” the initial self-loop of this automaton intoan initial transition of the automaton shown in Fig. 5.11 (d). However, thereare now three (instead of two) states reachable from the initial state of thisautomaton. �

As seen from the above example, the assumption that merging the initialsegments of two branches of an accepting run of a compound automaton(built using the original ∧ rule) results in a reduction in the number of statesin the automaton is obviously very optimistic. To minimize the number ofstates in the alternating automaton, the rule should therefore be used onlysparingly, for example, only if the application of the rule leaves an initialstate of a component automaton unreachable from the initial state of thecompound automaton built using the rule. For instance, this simple heuris-tic would already prevent the situation that arises in Ex. 5.6.2.

Nevertheless, there is a difference between the automata in Fig. 5.11 (c)and Fig. 5.11 (d) as regards translating these automata into nondetermin-istic automata: because the automaton in Fig. 5.11 (d) has no transitions


with two or more target states, this automaton can be completed directly intoa nondeterministic automaton by an application of Lemma 4.6.1. On theother hand, this completion result does not apply to the automaton shownin Fig. 5.11 (c); as a matter of fact, applying the universal subset construc-tion (Theorem 4.3.2) to this alternating automaton yields a nondeterminis-tic automaton that is identical to the one obtained from the automaton inFig. 5.11 (d) as described above. Intuitively, the new rule for the ∧ connec-tive can thus be said to “reduce universality” (i.e., the number of target states)in the transitions of the alternating automaton at the cost of the size of thestate set of the automaton.

5.6.3 Extension of the Subclass LTLCND

We end this section by studying the effects of the new translation rules onthe set of LTL formulas closed under translation into automata which canbe completed into nondeterministic automata without applying the univer-sal subset construction (previously considered in Sect. 4.6). The fact that theautomata built from certain LTL formulas we have seen in previous exam-ples (Fig. 5.10 and Fig. 5.11 (d)) can be completed into nondeterministicautomata by an application of Lemma 4.6.1 is not a coincidence. First, weshall list closure properties of the new translation rules, and then use themto define a simple, yet more expressive, syntactic extension of the subclassLTLCND, for which the satisfiability problem (discussed in Sect. 4.6.5) re-mains NP-complete.

Closure Properties of Refined Translation RulesLet ϕ ∈ LTL(AP) be an LTL formula, and let θ1, θ2 ∈ PL(AP) be twoBoolean formulas. It is clear from the syntactic definition of LTLCND(AP)(Sect. 4.6.3, p. 107) that this subclass of LTL includes all formulas of the formθ1, (θ1 U θ2) and (θ1 R θ2) (where both strong and weak variants of U and R

are allowed). More precisely, as argued in Sect. 4.6.3, the basic translationrules map any formula of one of these forms into a self-loop automaton, inwhich the subautomaton rooted at the initial state of the automaton consistsof a single state; obviously, this fact still holds when using the new translationrules for the ∧, U and R connectives. In short, we say that these formulastranslate into single-state automata; it is clear that every single-state automa-ton is trivially a self-loop automaton that can be extended into a nondeter-ministic automaton by applying Lemma 4.6.1. Furthermore, we say that anautomaton is a single-state loop automaton iff the automaton is a single-stateautomaton, all initial transitions of which are self-loops. For illustration, seeFig. 5.8 (a) and Fig. 5.8 (b) for single-state automata, and Fig. 5.8 (c) andFig. 5.8 (d) for single-state loop automata.

The new translation rules have the following simple closure properties onthe translation of LTL formulas into single-state (loop) automata.

Lemma 5.6.3 Let ϕ ∈ LTL(AP) be an LTL formula which can be trans-lated into a single-state automaton. The formulas (ϕU⊥) and (⊥Rϕ) canbe translated into single-state loop automata.

Proof: Let Aϕ and A⊥ be single-state automata built for the formulas ϕ and


⊥, respectively. Because L(⊥) = ∅ ⊆ L(ϕ) holds trivially, the formulas(ϕU⊥) and (⊥Rϕ) can be translated into automata using the optimizedtranslation rules in Table 5.3. Because the automaton built for the formula⊥ has no initial transitions, it is easy to see that every initial transition of thecompound automaton built from Aϕ and A⊥ will be a self-loop obtainedfrom an initial transition of the automaton Aϕ. Because Aϕ is a single-stateautomaton, the target state set of each transition of Aϕ is either the emptyset, or it consists of the initial state of Aϕ. The result now follows because theoptimized translation rules remove the initial state of Aϕ from every initialtransition of Aϕ when converting it to an initial self-loop of the compoundautomaton. �

Lemma 5.6.4 Let ϕ1, ϕ2 ∈ LTL(AP) be two LTL formulas translatable intosingle-state loop automata. The LTL formula (ϕ1∧ϕ2) can be translated intoa single-state loop automaton.

Proof: Let A1 and A2 be single-state loop automata built for the formulasϕ1 and ϕ2, respectively. Because all pairs of initial transitions of A1 andA2 consist of self-loops of the automata, all of these pairs of transitions aremerged by the new rule for the ∧ connective into initial self-loops of thecompound automaton built from A1 and A2; furthermore, the initial statesof the component automata are not included in the target states of these self-loops. The result now follows because A1 and A2 are single-state automata.

�

Lemma 5.6.3 and Lemma 5.6.4 can be used to identify a simple syntacticsubclass of LTL formulas which can be translated into single-state automata.Formally, we define this subclass LTL1-state(AP) (in terms of an auxiliarysubclass LTL1-loop(AP)) as the smallest set of LTL formulas closed underfinite application of the mutually recursive rules

If θ1, θ2 ∈ PL(AP) and ϕ ∈ LTL1-loop(AP), thenθ1, (θ1 U θ2), (θ1 R θ2), ϕ ∈ LTL1-state(AP); and

if ϕ ∈ LTL1-state(AP) and ψ1, ψ2 ∈ LTL1-loop(AP), then(ϕU⊥), (⊥Rϕ), (ψ1 ∧ ψ2) ∈ LTL1-loop(AP).

(where U and R can be binary temporal connectives of any strength).The above syntactic definition of LTL1-state(AP) was obtained without

considering the semantics of the formulas formed using the recursive rules.As a matter of fact, there are in practice only few meaningful ways to apply therecursive rules to obtain formulas that cannot be trivially expressed as simplerformulas in the subclass. For example, given a formula ϕ ∈ LTL1-state(AP),it does not make sense in practice to write formulas of the form (ϕUs ⊥)or (⊥Rs ϕ), since each of these formulas is trivially equivalent to the for-mula ⊥ as is easily seen from the semantics of the strong binary tempo-ral operators. Likewise, if ϕ ∈ LTL1-loop(AP) holds, then it is easy to seethat (ϕUw ⊥) ≡ (⊥Rw ϕ) ≡ ϕ holds (if the automaton built from ϕ isa single-state loop automaton, then the automaton built from this automa-ton for either of these formulas using the new translation rules is structurallyidentical to the automaton for ϕ). As a nontrivial special case, however, the


subclass LTL1-state(AP) contains all formulas of the form∧

1≤i≤n GFθn ≡∧1≤i≤n

(⊥Rw (>Us θn)

)(where 0 ≤ n < ω, and θi ∈ PL(AP) for all

1 ≤ i ≤ n).1

The following lemma states a further consequence of the new translationrules.

Lemma 5.6.5 Let ϕ1, ϕ2 ∈ LTL(AP) be LTL formulas which can be trans-lated into single-state automata, and let θ ∈ PL(AP) be a Boolean formula.The LTL formulas (ϕ1 ∧ ϕ2) and (θRϕ1) can be translated into self-loopautomata with no transitions having two or more target states.

Proof: Let A1, A2 and Aθ be single-state automata built for the formulasϕ1, ϕ2 and θ, respectively. Because A1 and A2 are single-state automata, notransition in either automaton has two or more target states.

The new translation rule for the ∧ connective merges pairs of initial tran-sitions of A1 and A2 into initial transitions of a compound automaton for theformula (ϕ1∧ϕ2). Let t be one of these transitions. Obviously, the transitiont has at most one target state if it was built from a pair of transitions, one (orboth) of which had an empty set of target states. Otherwise t was built froma pair of self-loops of the automata A1 and A2, in which case t is a self-loopof the compound automaton. Because A1 and A2 are single-state automata,it is easy to see from the definition of the new ∧ rule that t has exactly onetarget state also in this case.

An automaton for the formula (θRϕ1) can be built using the universallyapplicable version of the optimized rule for the Release connective. Everyinitial transition of this automaton is either a self-loop obtained from an ini-tial transition of A1 by removing the initial state of A1 from the target statesof this transition, or a transition whose target states comprise the union ofthe target states of an initial transition of Aθ and an initial transition of A1.Because A1 is a single-state automaton and the target state set of every tran-sition of Aθ is empty, it follows that all initial transitions of the compoundautomaton have at most one target state (which is either the initial state ofthe compound automaton, or the initial state of A1). �

The Subclass LTLCND+

Combining the above definition of LTL1-state(AP) with Lemma 4.6.2 andLemma 5.6.5, we obtain the following syntactic definition of a subclass offormulas which can be translated (effectively using a translation procedureextended with the new translation rules for the ∧, U and R connectives) intoself-loop alternating automata with no transitions having two or more targetstates. (The proof that this is indeed the case proceeds similarly to the proof

1Formulas of the form∧

1≤i≤n GFθn are sometimes used as simple fairness constraintsto restrict verification of an LTL formula ϕ to computations that satisfy a set of proposi-tional constraints infinitely often, using formulas of the form ¬

((∧

1≤i≤n GFθn) → ϕ)≡(

(∧

1≤i≤n GFθn) ∧ ¬ϕ)

in verification. Because any fairness constraint of this form can betranslated into a single-state automaton (as observed already by Couvreur [1999]), the alter-nating automaton built for the formula [¬ϕ]PNF combined with the fairness constraint isnever more than two states larger than the automaton built for the formula [¬ϕ]PNF.


of Proposition 4.6.3, using Lemma 5.6.5 as an additional base case for induc-

tion.) Formally, we define the subclasss LTLCND+(AP) as the smallest set of

LTL formulas closed under finite application of the syntactic rule

If θ ∈ PL(AP), ϕ1, ϕ2 ∈ LTL1-state(AP), and ψ1, ψ2 ∈ LTLCND+(AP),

thenϕ1, (ϕ1 ∧ ϕ2), (θ Rϕ1), Xψ1, (ψ1 ∨ ψ2), (ψ1 ∧ θ), (θ ∧ ψ1), (θUψ1),

(ψ1 R θ) ∈ LTLCND+(AP)

(where U and R can be either weak or strong binary temporal connectives).

Similarly to the class LTLCND(AP), LTLCND+(AP) is closed under rewrit-

ing formulas into positive normal form. For example, it is straightforward tocheck from the syntactic definition that the formula

[((⊥Rw (>Us p1)

)∧

(⊥Rw (>Us p2)

))∨

(p3 Rw (p4 Rs p5)

)]

considered in Ex. 3.1.1 and Ex. 5.6.1 belongs to the class LTLCND+(AP),

and the same holds for the formula((

(>Us p1)∧(>Us p2))∨p3

)considered

in Ex. 5.6.2.

Expressiveness and SatisfiabilityBecause PL(AP) ⊆ LTL1-state(AP) holds, it is easy to see from the syntac-

tic definition that LTLCND(AP) ⊆ LTLCND+(AP) holds. Therefore, every

LTL formula expressible in LTLCND(AP) is trivially logically equivalent to

a formula in LTLCND+(AP). This property does not hold in the converse

direction, however: the class LTLCND+(AP) is strictly more expressive than

the subclass LTLCND(AP) for any nonempty set of atomic propositions AP .(We prove this result only indirectly, referring to known results [Clarke andDraghicescu 1989; Maidl 2000a] on the relative expressive power of LTLand the branching time temporal logics CTL [Clarke and Emerson 1982a,b]and CTL? [Emerson and Halpern 1983, 1986]; see, for example, [Emerson1990] for an introduction into the syntax and semantics of these branchingtime logics.)

Proposition 5.6.6 Let AP be a nonempty set of atomic propositions. The

subclass LTLCND+(AP) is strictly more expressive than LTLCND(AP).

Proof: Let p ∈ AP be an atomic proposition. Consider the LTL formula

GF¬p ≡(⊥Rw (>Us ¬p)

)∈ LTL(AP). Obviously, because (>Us ¬p) ∈

LTL1-state(AP) holds,(⊥Rw (>Us ¬p)

)∈ LTLCND+

(AP) holds by the syn-

tactic definition of LTLCND+(AP). We show that no formula in the subclass

LTLCND(AP) is logically equivalent to this formula.Suppose that there exists a formula ϕ ∈ LTLCND(AP) such that ϕ ≡(

⊥Rw (>Us ¬p))≡ GF¬p holds. By Proposition 4.6.6, ϕ is also logically

equivalent to the formula [ϕ]det ∈ LTLdet(AP) obtained from ϕ by applying

the rewrite rules presented in Sect. 4.6.4. Let ψdef=

[¬[ϕ]det

]PNFbe the

positive normal form of ¬[ϕ]det; clearly, ψ ≡ ¬ϕ ≡ ¬GF¬p ≡ FGp holds,

and by the definition of LTLdet(AP), ψ belongs to the subclass LTLdet(AP)


of Maidl [2000a]. By Corollary 1 of [Maidl 2000a], there exists a formula ψ′

in the branching time logic CTL such that the model checking problems forthe formula ψ′ and the CTL? formula Aψ ≡ A(FGp) have the same answer inevery state in every structure. This is, however, a contradiction, because theformula A(FGp) is known to be not equivalent in this sense to any formula inthe logic CTL [Clarke and Draghicescu 1989]. Therefore, our assumptionthat ϕ ∈ LTLCND(AP) holds is incorrect, and the result follows. �

Let ϕ ∈ LTLCND+(AP) be a formula. Because the translation proce-

dure extended with the rules presented in this chapter still maps all Booleanformulas into single-state automata, and because each application of a newtranslation rule adds one new state to the constructed automaton, the num-ber of states in an automaton built from [ϕ]PNF is bounded by the lengthof ϕ. Clearly, also the number of acceptance conditions in this automatonstill remains bounded by |ϕ|: identically to the basic translation, the newtranslation rules introduce new acceptance conditions only for binary tem-poral subformulas with a strong main connective. By Lemma 4.6.1, the au-tomaton can be completed into a nondeterministic automaton with at most1 + |ϕ| states. Proposition 4.6.10 now applies to show that formulas in the

class LTLCND+(AP) have the same “small model” property as the formulas

in the class LTLCND(AP). Therefore, a consideration identical to the one inthe proof of Corollary 4.6.11 shows that also the decision problem for satisfi-

ability in LTLCND+(AP) is NP-complete.

Proposition 5.6.7 Let AP be a countably infinite set of atomic propositions.

The satisfiability problem for LTLCND+(AP) is NP-complete.

As noted in Sect. 4.6.5, the satisfiability of a CTL formula obtained from aformula ϕ ∈ LTLCND(AP) by prefixing all of its temporal operators with theexistential CTL path quantifier implies the existence of a nonbranching tree(i.e., a word) model for the CTL formula, and this model can be identifiedwith a model for ϕ. This correspondence between ∃CTL satisfiability andthe existence of word models does not directly carry over to ∃CTL formulas

obtained from those in the subclass LTLCND+(AP) using the same conver-

sion, however: for example, applying the conversion to the LTL formula

(Fp ∧ G¬p) ≡((>Us p) ∧ (⊥Rw ¬p)

)∈ LTLCND+(

{p})

yields the satisfiable ∃CTL formula(E(>Us p)∧ E(⊥Rw ¬p)

), which never-

theless has no word model because the LTL formula is unsatisfiable. Hence,the NP-completeness of ∃CTL satisfiability [Kupferman and Vardi 1995,2000] does not directly allow to conclude the above NP-completeness result

for satisfiability in LTLCND+(AP) unlike in the case for LTLCND(AP).


6 REMOVING REDUNDANT TRANSITIONS

The refined translation rules introduced in the previous chapter can be seenas heuristics for simplifying self-loop alternating automata built using thebasic rules of Sect. 3.1 by replacing some of their transitions with transi-tions having fewer target states without changing the language of the au-tomata. The refined rules do not explicitly aim for reducing the actualnumber of states or transitions in an automaton, however; all such reduc-tions (if any) arise only as indirect side effects of applying the refined rules.In this chapter, we shall explore techniques for detecting redundant tran-sitions that can be removed from a self-loop alternating automaton with-out changing its language. Formally, a transition t ∈ ∆ of an automatonA = 〈Σ, Q,∆, qI ,F〉 is (fin-)redundant iff A is fin-equivalent to the automa-ton A′ =

⟨Σ, Q,∆ \ {t}, qI ,F

⟩obtained from A by removing the transition

t from ∆. (Clearly, if A is a self-loop alternating automaton, then so is A′,because the automaton A′ obviously has at most as many simple cycles as A.Therefore, all heuristics specific to the simplification of self-loop alternatingautomata remain applicable to A′ and any automaton obtained from it byremoving more transitions.)

The incremental translation procedure for building increasingly complexautomata from simpler automata can easily be combined with on-the-fly tran-sition redundancy analysis [Gastin and Oddoux 2001]. Because the structureof every automaton A built using a rule in the translation procedure fromLTL into automata remains unchanged in any further application of a rulethat uses A as a component, the language of A remains fixed regardless ofthe way the translation rules are used after A has been defined. Therefore,the automaton A can be scanned for redundant transitions immediately af-ter constructing it. In particular, removing all redundant initial transitionsof A before applying another translation rule reduces the effort needed forbuilding a compound automaton in which A occurs as a component, aswell as any automaton built incrementally from these component automata.This kind of on-the-fly transition redundancy analysis is conceptually moredifficult to combine with tableau-based procedures for translating LTL di-rectly into nondeterministic automata due to the “top-down” approach usedin these procedures to construct the automaton. The requirement for ac-cess to a complete automaton for ϕ is implicit also in the design of manyminimization techniques based on the use of simulation relations [Etessamiand Holzmann 2000; Somenzi and Bloem 2000; Etessami et al. 2001, 2005;Etessami 2002; Fritz and Wilke 2002, 2005; Gurumurthy et al. 2002].

We shall concentrate on the detection of redundant initial transitions ofself-loop alternating automata due to its above potential benefits in reducingthe effort needed for the incremental application of the translation rules. Ob-viously, this restriction will in the general case miss some opportunities forremoving transitions: even though the translation procedure is “modular” inthe syntactic structure of the formula, it is not modular in the sense that everynonredundant initial transition of an automaton would remain nonredun-dant in automata built from it incrementally. For example, the automatonbuilt from the formula

(Fp1 ∨ X(Gp1 ∨ p2)

)∈ LTL

({p1, p2}

)with the basic

156 6. REMOVING REDUNDANT TRANSITIONS

q1

q2 q3

q4

>>>

p1

p1p1

p1

p2

Fig. 6.1: A self-loop alternating automaton A built for the formula(Fp1 ∨ X(Gp1 ∨

p2)). The transition from the state q3 to the state q4 is redundant in A even though

it is not redundant in Aq3

translation rules has redundant (non-initial) transitions even though no sub-automaton rooted at one of its non-initial states has any redundant transitions(see Fig. 6.1). Of course, this phenomenon is hardly surprising because ofthe obvious analogy between incremental transition redundancy analysis andthe task of simplifying a compound LTL formula built from one or two ar-bitrary subformulas and a connective. Nevertheless, the “local” approach tothe detection of redundant transitions has, besides special cases that are eas-ier to check than the general case, advantages that ease the implementationof the translation procedure. For example, restricting redundancy analysisto the transitions starting from the initial state of an automaton will triviallypreserve the correspondence between the states of the automaton and thenode subformulas of the formula under translation. Therefore the subau-tomata built for these subformulas remain directly accessible in case they areneeded again in the translation if some of these subformulas occur multipletimes in the formula.

6.1 REDUNDANT TRANSITIONS AND LANGUAGE CONTAINMENT

It is clear that any transformation used for simplifying an alternating automa-ton A is correct (in the sense that it preserves the language fin-recognized bythe automaton) iff A and the automaton A′ built in the transformation satisfythe language containment relationships

Lfin(A) ⊆ Lfin(A′) and Lfin(A

′) ⊆ Lfin(A).

In particular, if the automaton A′ is obtained from A by removing transi-tions, it is easy to see that the right-hand condition holds trivially betweenthe automata, since all fin-accepting runs of A′ are fin-accepting runs of Ain this case. In transition redundancy analysis, it is thus sufficient to checkthat the left-hand language containment relationship holds between the au-tomata. By the classic reformulation of language containment (see Sect. 5.2),this test involves finding an automaton for the language Lfin(A′). In the lan-guage containment based optimizations of Sect. 5.3 and Sect. 5.5, a self-loop

6. REMOVING REDUNDANT TRANSITIONS 157

alternating automaton that recognizes the complement of the language ofanother self-loop alternating automaton could be found by reusing the trans-lation procedure from LTL into automata because the automaton had beenoriginally built for a known (subformula of an) LTL formula. However, thepresent language containment problem differs from these previous cases inthat the automaton A′ is now obtained directly from another automaton in-stead of an LTL formula. Even if the automaton A did correspond to a knownLTL formula, removing a transition from it may break this correspondence,and checking whether this is the case is merely a restatement of the languagecontainment problem.

If the given automaton A is a self-loop alternating automaton, then obvi-ously also the automaton A′ obtained from A by removing one of its transi-tions is such an automaton. Therefore, an LTL formula ψ corresponding tothe automaton A′ can be found, for example, via the reverse translation dis-cussed in Sect. 3.4. In principle, an automaton for the complement languageLfin(A′) can be then obtained as before by applying the basic translation pro-cedure to the positive normal form of ¬ψ. Unfortunately, as noted in the dis-cussion at the end of Sect. 3.4, a reverse translation procedure based on theincremental application of the pattern given in Lemma 3.4.1 may yield anLTL formula with exponentially many syntactically distinct subformulas inthe number of states in the automaton A′, and thus translating the negationof this formula back into an automaton using the basic translation procedurerequires exponential time. It is nevertheless not always necessary to apply thereverse translation to all states of the automaton A′: because A and A′ areself-loop alternating automata that differ only in the transitions leaving thesource state q of the transition that was removed from A, the automaton A′

shares with the automaton A all subautomata that do not include the stateq. If the automaton A was built from an LTL formula ϕ using the translationrules, it may therefore be possible to substitute some formulas in a reversetranslation pattern directly with subformulas of ϕ corresponding to these sub-automata. It is thus sufficient to apply the reverse translation to the state qin addition to all states of which q is a descendant in A′; in other words, thecost of reverse translation increases with the length of the longest path fromthe initial state of A′ to the state q. If the redundancy analysis is restricted tothe initial transitions of A, however, the formula ψ can be found from A′ ina single reverse translation step applied to the initial state of the automaton.

Even though some subformulas of ϕ can be reused in the reverse transla-tion procedure for finding an LTL formula ψ corresponding to the automa-ton A′, the automata built for these subformulas cannot in the general casebe reused in the translation of the positive normal form of ¬ψ back into anautomaton without repeating the translation procedure. Although this re-quirement is in fact common to all language containment checks presented,the reverse translation used in the present case is nevertheless likely to intro-duce formulas that are not subformulas of ϕ nor the positive normal form of¬ϕ. Because the formula ψ also depends on the particular transition cho-sen for the redundancy analysis, it becomes difficult to estimate beforehandthe actual number of formula translation subproblems that will arise duringthe construction and simplification of a self-loop alternating automaton builtfrom the formula ϕ. In the next section, we examine special cases of tran-


sition redundancy analysis in which the reverse translation can be avoidedby dividing the language containment test Lfin(A) ⊆ Lfin(A

′) into severalsubproblems. These special cases allow for limited transition redundancyanalysis while keeping the formula translation subproblems within the set ofnode subformulas of ϕ and (the positive normal forms of) their negations.

6.2 DETECTING REDUNDANT INITIAL TRANSITIONS BY TRANSITION SUB-

STITUTION

In this section, we develop heuristics for detecting redundant initial transi-tions in self-loop alternating automata without solving the general languagecontainment problem presented in Sect. 6.1. Our results combine localstructural analysis of the automata with language containment checks thatcan be handled by applying the basic translation only to node subformulasof a given LTL formula or their negations. In some cases, however, we haveto trade the language containment test between two languages (as describedin the previous section) for a more general one that involves containmentbetween set intersections of languages. We present our results using arbi-trary self-loop alternating automata; their application to self-loop alternatingautomata with acceptance synchronized runs will be discussed in Sect. 6.2.5.

6.2.1 Redundant Transitions and Runs of an Automaton

Rephrasing the criterion on transition redundancy as a condition on runs ofan automaton A, we see a transition to be redundant iff, for every accept-ing run of A that contains an edge labeled with the transition, there existsanother accepting run (on the same input) in which the automaton avoidstaking this transition. This high-level intuition of finding accepting runs inwhich the automaton avoids taking a given transition forms the basic strat-egy of proving the results of this section by modifying accepting runs of Athat contain edges labeled with the transition into accepting runs that do notcontain such edges.

By the above characterization, a transition is obviously redundant if itnever occurs in any accepting run of the automaton. We have already usedthis fact previously in Corollary 2.3.11 and Sect. 5.1.2 for removing transi-tions with an empty guard (characterizable by an unsatisfiable Boolean for-mula in PL(AP) in automata having the alphabet 2AP ), or transitions thatspawn a collection of subautomata, the intersection of whose languages isempty.

Obviously, all redundant transitions of self-loop alternating automata donot necessarily fall into the above category, and the automaton may well haveaccepting runs, some edges of which are labeled with redundant transitions.In the following, we shall investigate conditions under which these runs canbe modified into accepting runs in which the automaton avoids taking suchtransitions. Formally, we shall often make use of the following result thatcharacterizes an obvious way to extract a semi-run avoiding a given transitionfrom any run of the automaton by truncating every branch of the run at thefirst occurrence of an edge labeled with the transition. If this semi-run can


then be extended back into an accepting run (on the same input) that stillavoids the transition, it follows that the transition is redundant if the sameextension result holds for all words in the language of the automaton.

Lemma 6.2.1 Let G = 〈V,E, L〉 be a fin-accepting run of an alternatingautomaton A = 〈Σ, Q,∆, qI ,F〉 on some w ∈ Σω, and let t ∈ ∆ be atransition of A with source state q ∈ Q. The graph G′ = 〈V ′, E ′, L′〉, where

• V ′0

def= {v0}, V ′

i+1def=

⋃v∈V ′

i

{V ′′ ⊆ Vi+1 〈v, V ′′〉 ∈ E, L

(〈v, V ′′〉

)6= t

}

for all 0 ≤ i < ω,

• E ′ def=

{〈v, V ′′〉 ∈ E {v} ∪ V ′′ ⊆ V ′, L

(〈v, V ′′〉

)6= t

}, and

• L′(x)def= L(x) for all x ∈ V ′ ∪E ′,

is a fin-accepting semi-run of A on w such that none of the edges of E ′ islabeled with the transition t, and every node of G′ with no outgoing edges islabeled with the state q.

Proof: Obviously, V ′ ⊆ V (with V ′i ⊆ Vi for all 0 ≤ i < ω) and E ′ ⊆ E hold;

because G is a run, it follows that G′ can be partitioned into finite disjointlevels with edges between successive levels of G′.

Because G is a run of A, L′(v0) = L(v0) = qI holds. Let v ∈ V ′. BecauseG is a run and V ′ ⊆ V holds, v has a unique consistently labeled outgoingedge e ∈ E inG. Because E ′ ⊆ E holds, v now has either no outgoing edgesin G′, or v keeps its unique outgoing edge; by the definition of E ′, this edgeis always labeled with a transition different from t. Because L′(x) = L(x)holds for all x ∈ V ′ ∪ E ′, the labeling of e is still consistent in G′.

Let v′ ∈ V ′i for some 1 ≤ i < ω. From the definition of V ′ it follows that

there exists a node v ∈ V ′i−1 and an edge e = 〈v, V ′′〉 ∈ E, v′ ∈ V ′′, such

that L(e) 6= t holds. Therefore e ∈ E ′ holds, and G′ is a semi-run of A on w.Clearly, because every infinite branch β ′ ∈ B(G′) is also an infinite

branch in G and L′(e) = L(e) holds for all e ∈ E ′, fin(β ′) = ∅ holds inboth G and G′, and thus G′ is a fin-accepting semi-run of A.

Finally, if v ∈ V ′ has no outgoing edges, then the unique edge startingfrom v in G is labeled with the transition t, and because the labeling of G isconsistent, v is labeled with the source state of t in G, i.e., L(v) = q = L′(v)holds. �

6.2.2 Transition Substitution

Obviously, a run of a self-loop alternating automaton can be modified toavoid a given transition, for example, if the automaton has another transitionthat can be substituted for every occurrence of the given transition in therun. Clearly, such a substitution can be made only if the transitions sharetheir source state, and if the automaton could in fact have taken either of thetransitions at each occurrence of the given transition in the run. Formally,given two transitions t = 〈q,Γ, F,Q′〉 ∈ ∆ and t′ = 〈q′,Γ′, F ′, Q′′〉 ∈ ∆ of

an alternating automaton A = 〈Σ, Q,∆, qI ,F〉 and a set Γ ⊆ Γ of symbolsfrom the automaton’s alphabet, we say that the transition t′ is Γ-substitutable


for t (in a run of A) iff t 6= t′, q = q′ and Γ ⊆ Γ′ hold. The transitions t andt′ are called the substituted and the substituting transitions, respectively. (Ifthe guards Γ and Γ′ are represented in an automaton with the alphabet 2AP

using their characteristic Boolean formulas θ ∈ PL(AP) and θ′ ∈ PL(AP),respectively, then Γ ⊆ Γ′ holds iff the propositional implication (θ → θ′) isvalid.)

Let t and t′ be two transitions of an alternating automaton A with thecomponents specified above. Obviously, renaming an edge labeled with thetransition t in a run of A with the transition t′ (using the above criterionfor substitutability) necessitates that t and t′ share their set of target states tokeep the labeling of the run consistent. In accepting runs of the automa-ton, however, a less restrictive strategy for substituting the transition t′ foran occurrence of the transition t is to require (besides substitutability) thatthe subautomata rooted at the target states of t′ accept the remainder of theinput beginning at the level following the occurrence of t. Intuitively, therun could thus be first modified into an accepting semi-run of A (apply-ing the principle in Lemma 6.2.1 to remove the occurrence of t from therun), and then extended back into an accepting run of A using acceptingruns of subautomata rooted at the target states of t′ on the rest of the input(Proposition 2.3.14). Formally, for all Γ ⊆ Γ, we say that the transition t′ isΓ-substitutable for t under fin-acceptance iff t′ is Γ-substitutable for t′, and⋂q′∈Q′ Lfin(A

q′) ⊆⋂q′∈Q′′ Lfin(A

q′) holds.

6.2.3 Substitutability and Redundant Initial Transitions of Self-loop Automata

Substitutability of transitions under fin-acceptance suggests a general strat-egy for detecting redundant transitions in an alternating automaton by find-ing sufficient conditions under which every occurrence of an edge labeledwith a transition t = 〈q,Γ, F,Q′〉 in a fin-accepting run of the automatoncan be replaced (along with the fragment of the run starting from the sourcenode of the edge) for all σ ∈ Γ with an edge labeled with another transitionthat is {σ}-substitutable for the transition t under fin-acceptance. Unfortu-nately, the local criteria on substitutability under fin-acceptance are not al-ways sufficient to guarantee this global substitutability property if some of thelanguages recognized by the subautomata rooted at the target states of a sub-stituting transition depend on the substituted transition. For example, eventhough the •-transition of the automaton shown on the left in Fig. 5.8 (c)(p. 146) is substitutable for the transition with no acceptance conditions un-der fin-acceptance for all models of the guard p1, the run obtained from afin-accepting run of the automaton by substituting the •-transition for everyoccurrence of the other transition is no longer fin-accepting.

Because the language of an automaton depends only on the subautoma-ton rooted at its initial state (Proposition 2.3.12), checking that the sourcestate of a substituted transition is neither a target state of a substituting tran-sition (under fin-acceptance) nor reachable from any of these states in theautomaton provides a sufficient additional condition to ensure that the lan-guage of the automaton is not changed by the removal of the substituted tran-sition. In self-loop alternating automata, this property follows immediately if,


for all symbols σ in the guard of the substituted transition, there exists a non-self-loop transition that is {σ}-substitutable for it under fin-acceptance.

Proposition 6.2.2 Let t = 〈q,Γ, F,Q′〉 ∈ ∆ be a transition of a self-loopalternating automaton A = 〈Σ, Q,∆, qI ,F〉. Assume that there exists anonempty set of non-self-loop transitions T = {t1, t2, . . . , tn} ⊆ ∆ \ {t}(for some 1 ≤ n < ω such that ti = 〈q,Γi, Fi, Q

′i〉 and q /∈ Q′

i hold for all1 ≤ i ≤ n), such that for all σ ∈ Γ, there exists a transition t′ ∈ T that is {σ}-substitutable for t under fin-acceptance. The automaton A is fin-equivalent

to the automaton A′ def=

⟨Σ, Q,∆ \ {t}, qI ,F

⟩obtained from A by removing

the transition t from ∆.

Proof: As noted in Sect. 6.1, Lfin(A′) ⊆ Lfin(A) holds trivially. To show lan-

guage containment in the other direction, let w ∈ Lfin(A). By Lemma 6.2.1,we can extract from a fin-accepting run G = 〈V,E, L〉 of A on w a fin-accepting semi-run G′ = 〈V ′, E ′, L′〉 that contains no edges labeled with thetransition t. Obviously, G′ is then also a fin-accepting semi-run of A′ on w.

Let v ∈ V ′i for some 0 ≤ i < ω be a node with no outgoing edges in G′;

by the definition of G′, the unique outgoing edge of v in G is labeled withthe transition t = 〈q,Γ, F,Q′〉. Because L is consistent, w(i) ∈ Γ holds, andthe union of the labels of the successors of v in G is equal to Q′, and becauseG is fin-accepting, it follows (Proposition 2.3.9) that Aq′ fin-accepts wi+1 forall q′ ∈ Q′, i.e., wi+1 ∈

⋂q′∈Q′ Lfin(A

q′) holds.Because w(i) ∈ Γ holds, there exists an index 1 ≤ j ≤ n such that

the transition tj = 〈q,Γj, Fj , Q′j〉 ∈ T is

{w(i)

}-substitutable for t un-

der fin-acceptance. Therefore w(i) ∈ Γj and wi+1 ∈⋂q′∈Q′ Lfin(A

q′) ⊆⋂q′∈Q′

jLfin(A

q′) hold, and it follows that Aq′ fin-accepts wi+1 also for all

q′ ∈ Q′j . By Proposition 2.3.15, it follows that the automaton Aq has a fin-

accepting run on wi, where the edge starting from the node at level 0 of thisrun is labeled with the transition tj , and the target nodes of this edge are la-beled with the states in Q′

j . By Proposition 2.3.6, all states in this run (exceptpossibly the node at level 0) are labeled with descendants of the state q. Butthen, because q /∈ Q′

j holds and Aq is a self-loop alternating automaton, itfollows that no state at a level greater than 0 is labeled in this run with thestate q, either, and because tj 6= t holds, no edge in this run is labeled withthe transition t. It follows that the run is a fin-accepting run of (A′)q on wi.

Because the above result holds for all nodes of G′ with no outgoing edges,the fin-accepting semi-run G′ can be extended into a fin-accepting run of A′

on w by Proposition 2.3.14. Therefore w ∈ Lfin(A′) holds, and it follows that

Lfin(A) ⊆ Lfin(A′) holds. �

If a substituting transition is a self-loop, it includes its own source state inits target states. Because also the substituted transition is rooted at this state,it may not be safe to remove the substituted transition from the automatonwithout changing the language of the subautomaton rooted at the commonsource state of the transitions. It is in some cases nevertheless possible to findthe substituted transition to be redundant without resorting to, for example,reverse translation based transition redundancy analysis.

Consider an infinite branch in a fin-accepting run of a self-loop alternat-ing automaton. If the source state of a substituted self-loop is a transient state


of the automaton, then every self-loop starting from this state can occur as thelabel of only finitely many edges in the branch (cf. Corollary 2.3.19). Conse-quently, no substituting transition (under fin-acceptance) can contribute tothe acceptance conditions occurring infinitely many times along this branch,either, regardless of whether the transition is a self-loop or not. The require-ments on transition substitution under fin-acceptance now guarantee that thelanguage of the subautomaton rooted at the transient state is preserved if thesubstituted self-loop is removed from the automaton.

In case the source state of the substituted self-loop is not a transient statein the automaton, the conditions on substitutability under fin-acceptance arenot by themselves sufficient to allow the self-loop to be safely removed fromthe automaton such that the language of the automaton is preserved. Be-cause transition substitution does not depend on the acceptance conditionsof the transitions, it may occur, for example, that the nontransient sourcestate of the substituted self-loop becomes transient when this self-loop is re-moved from the automaton. Consequently, the language of the automatonmay change in the modification, for example, if the new transient state hasno other successors than itself. Obviously, this problem will not arise if theset of acceptance conditions of the substituting transition is a subset of theconditions of the substituted transition. This requirement can be generalizedslightly: the substituted self-loop can safely be removed if there exists (for ev-ery symbol σ in the guard of the substituted transition) a set of transitions, allof which are {σ}-substitutable for the transition under fin-acceptance suchthat the transitions do not share any acceptance conditions that are not in-cluded also in the acceptance conditions of the substituted self-loop. (Inruns of self-loop alternating automata, the acceptance conditions of the sub-stituting transitions can affect fin-acceptance only in those infinite branchesthat converge to the common source state of the transitions. Therefore, forexample, if an infinite branch of an accepting run ends in an infinite suffixin which the automaton simply repeats the substituted transition, then ev-ery occurrence of this transition can be replaced with a finite sequence ofsubstituting transitions. The properties of the sets of substituting transitionsguarantee that the substitution can be done throughout the entire suffix with-out violating fin-acceptance.)

The above informal discussion can be summarized as the following result.

Proposition 6.2.3 Let t = 〈q,Γ, F,Q′〉 ∈ ∆ be a self-loop transition of a self-loop alternating automaton A = 〈Σ, Q,∆, qI ,F〉. Assume that, for all σ ∈ Γ,there exists a nonempty set of transitions Tσ = {tσ,1, tσ,2, . . . , tσ,nσ} ⊆ ∆\{t}(for some 1 ≤ nσ < ω) with acceptance conditions Fσ,1, Fσ,2, . . . , Fσ,nσ ⊆ F(respectively) such that tσ,i is {σ}-substitutable for t under fin-acceptancefor all 1 ≤ i ≤ nσ, and either q is a transient state of A, or

⋂1≤i≤nσ

Fσ,i ⊆

F . The automaton A is fin-equivalent to the automaton A′ def=

⟨Σ, Q,∆ \

{t}, qI ,F⟩

obtained from A by removing the transition t from ∆.

Proof: As noted in Sect. 6.1, Lfin(A′) ⊆ Lfin(A) holds trivially. We show that

the language inclusion holds also in the converse direction. Letw ∈ Lfin(A),and let G = 〈V,E, L〉 be a fin-accepting run of A on w. By Lemma 6.2.1,the run G can be modified into a fin-accepting semi-run G′ = 〈V ′, E ′, L′〉


that does not contain edges labeled with the transition t; obviously, G′ is thena fin-accepting semi-run of the automaton A′ on w. Our goal is to show thatG′ can be extended into a fin-accepting run of A′ on w. Because all nodes ofG′ with no outgoing edges are labeled with the state q (by the constructionin Lemma 6.2.1), it needs to be shown that the automaton (A′)q fin-acceptswi for all 0 ≤ i < ω for which V ′

i contains a node with no outgoing edges inG′: the result then follows directly by applying Proposition 2.3.14.

(Construction of a fin-accepting run of (A′)q) Let v ∈ V ′i ⊆ Vi be a node

with no outgoing edges inG′ for some 0 ≤ i < ω. Because L′(v) = L(v) = qholds, v is (in G) the initial node of a fin-accepting run of Aq on wi em-bedded in G (Proposition 2.3.9). By Proposition 2.3.7, there exists an in-dex 0 ≤ j ≤ ω such that this run contains a chain of edges (ek)0≤k<j+1,ek ∈ E ∩ (Vi+k × 2Vi+k+1), where the transition L(ek) = 〈q,Γk, Fk, Q

′k〉 ∈ ∆

is an initial self-loop of Aq for all 0 ≤ k < j, and if j < ω holds, thenthe transition L(ej) = 〈q,Γj, Fj , Q

′j〉 ∈ ∆ is an initial transition of Aq

that is not a self-loop. We shall use this chain of edges to define a chainof initial transitions of Aq (not including the transition t) that satisfies the fin-acceptance condition. This chain of transitions will then be used to define afin-accepting run of (A′)q on w. To ensure that the fin-acceptance conditionis always satisfied, we need to treat every acceptance condition not includedin t’s acceptance conditions F fairly in the construction. For this purpose,write F \ F = {f1, f2, . . . , fm} for some 0 ≤ m < ω; in addition to the se-quence of transitions, we define a sequence of integers c0, c1, c2, . . . to guide

the definition of the chain of transitions. Let c0def= 1.

(Construction of a chain of transitions) Assume that ck has been definedfor some 0 ≤ k < j + 1, and 1 ≤ ck ≤ max{1, m} holds. (This is

obviously the case if k = 0.) If L(ek) 6= t holds, let tkdef= L(ek) and

ck+1def= ck. Otherwise, if L(ek) = t = 〈q,Γ, F,Q′〉 holds, write wi(k) =

σk; because the labeling L is consistent, σk ∈ Γ holds. By the assump-tion, there exists an integer 1 ≤ nσk

< ω and a nonempty set of transi-tions Tσk

= {tσk ,1, tσk,2, . . . , tσk,nσk} ⊆ ∆ \ {t} (with acceptance conditions

Fσk ,1, Fσk,2, . . . , Fσk,nσk⊆ F , respectively) such that every transition in Tσk

is {σk}-substitutable for t under fin-acceptance. In this case we choose thetransition tk from the set Tσk

as follows:

• If q is a transient state of A or m = 0, let tk ∈ Tσkbe any transition in

Tσk, and define ck+1

def= ck.

• Otherwise, if q is not a transient state of A and m ≥ 1 holds, then⋂1≤`≤nσk

Fσk ,` ⊆ F holds by the assumption. It is easy to see that

there exists, for all f ∈ {f1, f2, . . . , fm}, a transition tfσk∈ Tσk

that isnot an f -transition of A. In particular, because 1 ≤ ck ≤ m holds,

the transition tfckσk ∈ Tσk

is not an fck -transition. In this case we define

tkdef= t

fckσk and ck+1

def= (ck mod m) + 1.

It is easy to see that 1 ≤ ck+1 ≤ max{1, m} holds by the construction. Ifthe transition tk is not a self-loop, we stop the construction; otherwise werepeat the same steps to define the transition tk+1. Obviously, the inductiveconstruction always ends after a finite number of steps if j < ω holds (in


this case, the transition L(ej) 6= t is not an initial self-loop of Aq, so theconstruction ends at the latest after the transition tj has been defined.) Insummary, we thus find an index 0 ≤ ` ≤ j such that the transition tk is aninitial self-loop of Aq for all 0 ≤ k < `, and if ` < ω, then t` is an initialtransition of Aq which is not a self-loop. Furthermore, it is easy to see thattk 6= t holds for all 0 ≤ k < `+ 1 by the construction.

(Definition of a semi-run G of (A′)q on wi) Write tk=〈q, Γk, Fk, Q′k〉 and

Q′k \ {q} = {qk,1, . . . , qk,nk

} (for some 0 ≤ nk < ω) for all 0 ≤ k < `, and

if ` < ω holds, write Q′` = {q`,1, . . . , q`,n`

} for some 0 ≤ n` < ω. Define the

graph Gdef= 〈V , E, L〉, where

• V0def= {v0}, Vk+1

def= {vk,1, . . . , vk,nk

} ∪

{{vk+1} if k < `∅ otherwise

for all

0 ≤ k < `+ 1, and if ` < ω, let Vkdef= ∅ for all `+ 1 < k < ω;

• Edef=

⋃0≤k<`+1

{〈vk, Vk+1〉

}; and

• for all 0 ≤ k < `+1, let L(vk)def= q, L(vk,k′)

def= qk,k′ for all 1 ≤ k′ ≤ nk,

and L(〈vk, Vk+1〉

)def= tk.

(G is a semi-run of (A′)q on wi)

(Partitioning) Clearly, V0 = {v0} is a singleton, and G consists of finite

disjoint levels with edges between successive levels of G.

(Causality) Let v ∈ Vk for some 0 ≤ k < ` + 1. Then v either hasno outgoing edges, or v = vk holds, and v has the unique outgoing edge〈v, Vk+1〉 ∈ E. Furthermore, if k ≥ 1 holds, then v is obviously a succes-sor of the node vk−1 ∈ Vk−1 in G. It follows that G satisfies both causalityconstraints required of a semi-run of (A′)q.

(Consistency of L) Clearly, L(v0) = q is the initial state of Aq. Let

e = 〈vk, Vk+1〉 ∈ E be an edge in G for some 0 ≤ k < ` + 1. By thedefinition of L, L(e) = tk = 〈q, Γk, Fk, Q

′k〉 holds. By the construction

of G, L(vk) = q holds, and it is easy to check that also L(Vk+1) = Q′k

holds. The labeling L is thus consistent if wi(k) ∈ Γk and tk ∈ ∆ \ {t}hold. This is clear if L(ek) 6= t holds in the original run G, since inthis case tk = L(ek) = 〈q,Γk, Fk, Q

′k〉 ∈ ∆ \ {t} holds, and because

ek ∈ E ∩ (Vi+k × 2Vi+k+1) holds and L is consistent, wi(k) ∈ Γk = Γkholds. Otherwise, if L(ek) = t holds, then tk is one of the

{wi(k)

}-

substitutable transitions Twi(k) ⊆ ∆ \ {t}, and wi(k) ∈ Γk follows from{wi(k)

}-substitutability. It follows that the labeling L is consistent.

(G is fin-accepting) If ` < ω holds, then E contains only finitely many

edges, and thus G is trivially a fin-accepting semi-run of (A′)q onwi. Because` ≤ j holds, this occurs whenever q is a transient state of A: otherwise (if` = j = ω), the chain of edges (ek)0≤k<j+1 labeled with initial self-loops ofAq would violate the fin-acceptance condition in the fin-accepting run of Aq

embedded in G.


If ` = j = ω holds and q is not a transient state of A, then the runG contains the unique infinite branch (ek)0≤k<ω =

(〈vk, Vk+1〉

)0≤k<ω

. If

L(ek) = t holds for only finitely many 0 ≤ k < ω in the chain of edges(ek)0≤k<ω, then there exists an index 0 ≤ `′ < ω such that L(ek) = L(ek)holds for all `′ ≤ k < ω by the construction of the sequence (tk)0≤k<ω andthe definition of the labeling L. Because the chain (ek)0≤k<ω is an infinitebranch in a fin-accepting run of Aq on wi, it follows that fin

((ek)0≤k<ω

)=

fin((ek)`′≤k<ω

)= fin

((ek)`′≤k<ω

)= fin

((ek)0≤k<ω

)= ∅ holds, and thus G

is a fin-accepting semi-run of (A′)q on wi.Otherwise the chain (ek)0≤k<ω contains infinitely many edges labeled

with the transition t. We show that for all acceptance conditions f ∈ F ,L(ek) is not an f -transition of (A′)q for infinitely many 0 ≤ k < ω. Thenobviously f /∈ fin

((ek)0≤k<ω

)holds, and because the same result holds for

all acceptance conditions f ∈ F , we may conclude that fin((ek)0≤k<ω

)= ∅

holds, and G is fin-accepting. Obviously, this result holds trivially if F = ∅holds.

Assume that f ∈ F holds, i.e., that the transition t is an f -transition of A.Because fin

((ek)0≤k<ω

)= ∅ holds, the transition L(ek) is not an f -transition

of A for infinitely many 0 ≤ k < ω. Because t is an f -transition, however, itfollows that L(ek) 6= t holds at all of these indices. By the definition of thetransitions tk and the semi-run G, it follows that L(ek) = tk = L(ek) holds atall of these indices, and it is easy to see that f /∈ fin

((ek)0≤k<ω

)holds.

Let f ∈ F \ F . Because L(ek) = t holds for infinitely many 0 ≤ k < ω,it follows from the inductive definition of the integers ck that fck = f holdsfor infinitely many k such that L(ek) = t holds (the integer ck+1 is definedby incrementing ck modulo the number of acceptance conditions in F \ Fiff L(ek) = t holds). Obviously, the definition of the transitions tk thenguarantees that tk = L(ek) is not an f -transition of (A′)q at any of theseindices. Therefore f /∈ fin

((ek)0≤k<ω

)= ∅ holds also in this case. By the

above observation, it follows that G is a fin-accepting semi-run of (A′)q onwi.

(G can be extended into a fin-accepting run of (A′)q on wi) Let v ∈ V be

a node with no outgoing edges in G. Then v = vk,k′ ∈ Vk+1 holds for

some 0 ≤ k < ω and 1 ≤ k′ ≤ nk, and L(v) 6= q holds. Because thefin-accepting run G contains the edge ek ∈ Vi+k × 2Vi+k+1 , the target nodesof which are labeled with (exactly) the target states of the transition L(ek) =〈q,Γk, Fk, Q

′k〉, it follows (Proposition 2.3.9) that (Aq)q

′(= Aq′) fin-accepts

wi+k+1 = (wi)k+1 for all q′ ∈ Q′k, i.e., (wi)k+1 ∈

⋂q′∈Q′

kLfin(A

q′) holds.

We show that (wi)k+1 ∈ Lfin(AbL(v)) holds. This is clear if L(ek) 6= t

holds, because in this case L(v) = qk,k′ ∈ Q′k holds by the definition of G.

Otherwise, if L(ek) = t holds, the setQ′k coincides with the set of target states

Q′ of the transition t, and thus (wi)k+1 ∈⋂q′∈Q′ Lfin(A

q′) holds. Because the

transition tk = 〈q, Γk, Fk, Q′k〉 is in this case chosen from a set of transitions{

wi(k)}-substitutable for t under fin-acceptance, it follows that (wi)k+1 ∈⋂q′∈Q′ Lfin(A

q′) ⊆⋂q′∈ bQ′

kLfin(A

q′) holds. In particular, because L(v) ∈ Q′k

holds by the definition of G, it follows that AbL(v) fin-accepts (wi)k+1.


Because L(v) 6= q is a successor of q and A is a self-loop alternating au-

tomaton, AbL(v) =(Aq)

bL(v) =((A′)q

)bL(v)holds, and it follows that

((A′)q

)bL(v)

fin-accepts (wi)k+1. Because the same reasoning applies to all nodes of Gwith no outgoing edges, G can be extended into a fin-accepting run of (A′)q

on wi by Proposition 2.3.14.

(G′ can be extended into a fin-accepting run of A′ on w) The above con-

struction can now be repeated at every level 0 ≤ i < ω of G′ containinga node (labeled with the state q) with no outgoing edges to show that wi ∈Lfin

((A′)q

)holds. By Proposition 2.3.14, it follows that the fin-accepting

semi-run G′ can be extended into a fin-accepting run of A′ on w. Becausethe result holds for all w ∈ Lfin(A), Lfin(A) ⊆ Lfin(A

′) holds. �

It is easy to see that Proposition 6.2.2 is actually only a special case ofProposition 6.2.3 if the substituted transition is a self-loop of a self-loop al-ternating automaton simplified in the sense of Corollary 2.3.20. The pre-conditions of Proposition 6.2.2 are nevertheless simpler than those used inProposition 6.2.3; additionally, Proposition 6.2.2 is applicable also to substi-tuted transitions that are not self-loops of the automaton.

Other special cases of the results with simpler preconditions can be ob-tained by strengthening the conditions on substitutability of transitions. Forexample, instead of finding a {σ}-substitutable transition for every symbolσ in the guard Γ of a substituted transition t, a single non-self-loop tran-sition that is Γ-substitutable for t under fin-acceptance suffices to show inProposition 6.2.2 that t is redundant. Similarly, a self-loop t can be foundto be redundant using Proposition 6.2.3 by exhibiting, instead of a family ofsets, a single set of transitions, all of which are Γ-substitutable for t underfin-acceptance and together satisfy the constraint on the intersection of theiracceptance conditions. Of course, special cases such as these are less generalthan the above results and do not apply in as many situations (see Ex. 6.2.11in Sect. 6.2.6).

6.2.4 Reducing Language Containment Between Intersections of Languages to Lan-guage Emptiness

Identically to the language containment tests used in Ch. 5, the generalversion of the test for the redundancy of a transition in an automaton A(Sect. 6.1) can be reduced to checking for the emptiness of the set intersec-tion of the language of A with the complement of the language of anotherautomaton (see Sect. 5.2). Because substitutability under fin-acceptance de-pends on a condition on language containment between set intersections oftwo families of languages, applying the standard reduction of language con-tainment into language emptiness to this problem yields an equation whichrefers to a more general Boolean combination of languages (see below); how-ever, this problem on language emptiness can easily be reduced to multipletests, each of which again involves only intersections of languages, via basicset-theoretic manipulation as follows.

Lemma 6.2.4 For any two finite families of languages Λ1,Λ2 ⊆ 2Σωover the

finite alphabet Σ,⋂

L1∈Λ1L1 ⊆

⋂L2∈Λ2

L2 holds iff( ⋂

L1∈Λ1L1

)∩L2 holds


for all L2 ∈ Λ2 \ Λ1 (where we write L = Σω \ L for all L ⊆ Σω).

Proof:⋂

L1∈Λ1L1 ⊆

⋂L2∈Λ2

L2 holds

iff(⋂

L1∈Λ1L1

)∩

⋂L2∈Λ2

L2 = ∅iff

(⋂L1∈Λ1

L1

)∩

( ⋃L2∈Λ2

L2

)= ∅

iff⋃

L2∈Λ2

((⋂L1∈Λ1

L1

)∩ L2

)= ∅

iff⋃

L2∈Λ2\Λ1

((⋂L1∈Λ1

L1

)∩ L2

)= ∅ (

( ⋂L1∈Λ1

L1

)∩ L2 = ∅ for all L2 ∈ Λ1)

iff(⋂

L1∈Λ1L1

)∩ L2 = ∅ holds for all L2 ∈ Λ2 \ Λ1.

�

By instantiating the languages in Lemma 6.2.4 with languages fin-recog-nized by subautomata of an alternating automaton A, we obtain the follow-ing immediate corollary that applies to testing substitutability of transitionsunder fin-acceptance.

Corollary 6.2.5 Let A = 〈Σ, Q,∆, qI ,F〉 be an alternating automaton. Forall subsets Q1, Q2 ⊆ Q,⋂

q∈Q1

Lfin(Aq) ⊆

⋂

q∈Q2

Lfin(Aq) holds iff

( ⋂

q1∈Q1

Lfin(Aq1)

)∩Lfin(Aq2) = ∅

holds for all q2 ∈ Q2 \Q1.

A well-known special case (used, for example, by Gastin and Oddoux[2001] in an optimization to their translation procedure from LTL into veryweak alternating automata) of the above result arises when the setQ2 is a sub-set of the set Q1. Obviously, the right-hand side condition of Corollary 6.2.5holds trivially in this case.

Corollary 6.2.6 Let A = 〈Σ, Q,∆, qI ,F〉 be an alternating automaton. Forall subsets Q1, Q2 ⊆ Q,

⋂

q∈Q1

Lfin(Aq) ⊆

⋂

q∈Q2

Lfin(Aq) holds if Q2 ⊆ Q1.

(Intuitively, this result is easy to justify: if Q2 ⊆ Q1 holds, a word w ∈⋂q∈Q1

Lfin(Aq) belongs to all languages Lfin(A

q) (q ∈ Q2) in addition to alllanguages determined by the states in Q1 \ Q2, and thus it is “harder” for wto belong to the language w ∈

⋂q∈Q1

Lfin(Aq).)

6.2.5 Compatibility with Nondeterminization of Automata Built from LTL Formulas

Clearly, an automaton obtained from a self-loop alternating automaton byremoving one or more of its redundant transitions is a self-loop alternatingautomaton. Therefore, this automaton can be translated into a nondeter-ministic one using the universal subset construction given in Theorem 4.2.1(Sect. 4.2). In our application of translating LTL formulas into nondetermin-istic automata, however, we have preferred using the optimized constructionof Theorem 4.3.2 (Sect. 4.3.2) instead to avoid introducing new acceptanceconditions in the translation. As observed in Sect. 4.3.4, the automata built


from LTL formulas using the basic translation rules have special structuraland semantic properties (acceptance closed transitions and representativestates for acceptance conditions, see Sect. 4.3.3) that allow the automata tobe translated into nondeterministic automata using the optimized univer-sal subset construction. These properties are also preserved when applyingthe new translation rules discussed in Ch. 5. In this section we investigateconditions under which these properties continue to hold when removingredundant initial transitions from self-loop alternating automata.

We first state two results on the preservation of acceptance closure andthe existence of representative states for acceptance conditions under theremoval of redundant initial transitions from self-loop alternating automata.It is easy to show that any acceptance closed self-loop alternating automatonsimplified in the sense of Corollary 2.3.20 remains such an automaton if oneof its transitions is removed. (This transition need not even be redundant.)

Proposition 6.2.7 Let A = 〈Σ, Q,∆, qI ,F〉 be an acceptance closed self-loop alternating automaton simplified in the sense of Corollary 2.3.20, and

let t ∈ ∆ be a transition of A. Let A′ def=

⟨Σ, Q,∆\{t}, qI ,F

⟩be the automa-

ton obtained from A by removing the transition t from ∆. The automatonA′ is an acceptance closed self-loop alternating automaton simplified in thesense of Corollary 2.3.20.

Proof: Obviously, the automaton A′ is a self-loop alternating automaton sim-plified in the sense of Corollary 2.3.20. We check that A′ is acceptanceclosed. Let t′ ∈ ∆ \ {t} be an f -transition of A′ for some acceptance condi-tion f ∈ F . Because the set of acceptance conditions of every non-self-looptransition in ∆ is empty, t′ is a self-loop of A′, i.e., t′ contains its source statein its target states. Clearly, this state is an f -state of A′. Because the sameresult holds for all transitions and acceptance conditions of A′, it follows thatA′ is acceptance closed. �

The following proposition states sufficient conditions under which the re-moval of a redundant initial transition from an alternating automaton (withno non-self-loop transitions to its initial state) will not interfere with the ex-istence of a representative state for an acceptance condition if the conditionstill occurs in a transition of the simplified automaton.

Proposition 6.2.8 Let A = 〈Σ, Q,∆, qI ,F〉 be an alternating automatonwith no non-self-loop transitions having the state qI as a target state, and letf ∈ F be an acceptance condition for which A has an f -representative stateqf ∈ Q. Let t = 〈qI ,Γ, F,Q

′〉 ∈ ∆ be a redundant initial transition ofA such that there exists, for all σ ∈ Γ, a nonempty set of transitions Tσ ={tσ,1, tσ,2, . . . , tσ,nσ} ⊆ ∆ \ {t} (for some 1 ≤ nσ < ω) with acceptanceconditions Fσ,1, Fσ,2, . . . , Fσ,nσ ⊆ F , respectively, such that for all t′ ∈ Tσ, t′

is {σ}-substitutable for t in A under fin-acceptance, and⋂

1≤i≤nσFσ,i ⊆ F

holds. Let A′ def=

⟨Σ, Q,∆ \ {t},F

⟩be the automaton obtained from A by

removing the transition t. The automaton A′ has no non-self-loop transitionshaving the state qI as a target state, and either A′ has no f -states, or the stateqf is an f -representative state of A′.


Proof: Because A has no non-self-loop transitions having qI as a target state, itis easy to see from the definition of A′ that A′ has no such transitions, either.If the transition t is the only f -transition of A, then the result follows triviallybecause A′ has no f -states in this case. Otherwise A′ contains at least onef -state. We need to show that the state qf is an f -representative state of A′.For this purpose, we first make the following observations:

(Lfin

((A′)q

)= Lfin(A

q) holds for all q ∈ Q) First, it is easy to see that

Lfin

((A′)q

)= Lfin(A

q) holds for all q ∈ Q: clearly, this equality holds forall q ∈ Q \ {qI}, because (A′)q = Aq holds in this case (∆ contains nonon-self-loop transitions having the state qI as a target state). Furthermore,the automata (A′)qI and AqI are fin-equivalent, because the transition t isredundant in A.

(Lffin

((A′)q

)= Lffin(A

q) holds for all q ∈ Q) We claim that also

Lffin

((A′)q

)= Lffin(A

q) holds for all q ∈ Q. Clearly, Lffin

((A′)q

)⊆

Lffin(Aq) holds by the definition of A′ for all q ∈ Q: if the subautoma-

ton (A′)q is able to fin-accept a word by avoiding an initial f -transition,then so is Aq, since any fin-accepting run of (A′)q on some w ∈ Σω is afin-accepting run of Aq on w.

To show language containment in the other direction, let q ∈ Q, andlet w ∈ Lffin(A

q). By Proposition 2.3.15 (and the definition of Lffin(Aq)),

there exists a transition tq = 〈q,Γq, Fq, Q′q〉 ∈ ∆ such that w(0) ∈ Γq

and f /∈ Fq hold, and Aq′ fin-accepts w1 for all q′ ∈ Q′q. If tq 6= t

holds, then the transition tq is a transition of A′, and because w1 ∈Lfin(A

q′) = Lfin

((A′)q

′)holds for all q′ ∈ Q′

q by the above observation, itfollows (Proposition 2.3.15) that (A′)q fin-accepts w by avoiding an initialf -transition.

Otherwise tq = t is the initial transition removed from A. Let σdef=

w(0). By the assumption, there exists a nonempty set of transitions Tσ ={tσ,1, tσ,2, . . . , tσ,nσ} ⊆ ∆ \ {t} of A for some 1 ≤ nσ < ω (with ac-ceptance conditions Fσ,1, Fσ,2, . . . , Fσ,nσ ⊆ F , respectively) such thatthe transition tσ,i is {σ}-substitutable for the transition t in A under fin-acceptance for all 1 ≤ i ≤ nσ, and

⋂1≤i≤nσ

Fσ,i ⊆ F holds. Becausethe transition t = tq is not an f -transition, it follows that Tσ containsa transition tf = 〈q,Γf , Ff , Q

′f〉 ∈ Tσ that is not an f -transition of A.

Clearly, tf is an initial transition of the automaton A′, and because tf is{σ}-substitutable for the transition t in A under fin-acceptance, it followsthat w(0) ∈ Γf and w1 ∈

⋂q′∈Q′

fLfin(A

q′) =⋂q′∈Q′

fLfin

((A′)q

′)hold.

Therefore, (A′)q fin-accepts w by avoiding an initial f -transition also inthis case. It follows that Lffin(A

q) ⊆ Lffin

((A′)q

)holds for all q ∈ Q.

It is now easy to check that the state qf has the properties required of an f -representative state of A′. Let q ∈ Q be an f -state of A′, and let w ∈ Σω bean infinite word over the alphabet Σ.

(w ∈ Lffin

((A′)qf

)∩ Lfin

((A′)q

)implies w ∈ Lffin

((A′)q

)) By the above

observations, w ∈ Lffin

((A′)qf

)∩Lfin

((A′)q

)implies that w ∈ Lffin(A

qf )∩Lfin(A

q) holds. Because qf is an f -representative state of A, it follows thatw ∈ Lffin(A

q) = Lffin

((A′)q

)holds.


(w ∈ Lffin

((A′)q

)implies wi ∈ Lffin

((A′)qf

)for some i) Assume that

w ∈ Lffin

((A′)q

)(= Lffin(A

q)) holds. Because qf is an f -representativestate of A, it follows that there exists an index 0 ≤ i < ω such that wi ∈Lffin(A

qf ) = Lffin

((A′)qf

)holds.

Clearly, the same reasoning applies to all f -states of A′. We conclude that qfis an f -representative state of A′. �

Proposition 6.2.8 characterizes a set of sufficient conditions under whichit is safe to remove a redundant initial transition from an automaton withoutinvalidating the existence of representative states for the acceptance condi-tions occurring in the transitions of the automaton. It is easy to see that theseconditions hold whenever using Proposition 6.2.2 to detect redundant tran-sitions in self-loop automata simplified in the sense of Corollary 2.3.20; asimilar result holds for a strengthened version of Proposition 6.2.3 that doesnot treat transient states of the automaton as a special case.

Proposition 6.2.9 Let A = 〈Σ, Q,∆, qI ,F〉 be a self-loop alternating au-tomaton simplified in the sense of Corollary 2.3.20. Let t = 〈qI ,Γ, F,Q

′〉 ∈∆ be a transition of A that can be found to be redundant in A by applyingProposition 6.2.2, or Proposition 6.2.3, without considering transient statesof A as a special case. For all σ ∈ Γ, there exists a nonempty set of tran-sitions Tσ = {tσ,1, tσ,2, . . . , tσ,nσ} (for some 1 ≤ nσ < ω) with acceptanceconditions Fσ,1, Fσ,2, . . . , Fσ,nσ ⊆ F , respectively, such that for all t′ ∈ Tσ, t′

is {σ}-substitutable for t in A under fin-acceptance, and⋂

1≤i≤nσFσ,i ⊆ F

holds.

Proof: If the transition t can be found to be redundant in A by applyingProposition 6.2.2, A has (for all σ ∈ Γ) a non-self-loop initial transition tσ ∈∆\{t} that is {σ}-substitutable for t in A under fin-acceptance. Because thetransition tσ is not a self-loop, it has an empty set of acceptance conditions (Ais simplified in the sense of Corollary 2.3.20), and thus the set {tσ} satisfiesthe conditions required of the set Tσ.

Otherwise, if t is found to be redundant by applying Proposition 6.2.3(without considering transient states of A as a special case), the existence ofthe family {Tσ}σ∈Γ follows directly from the conditions of Proposition 6.2.3.

�

If A = 〈2AP , Q,∆, qI ,F〉 is a self-loop alternating automaton built froman LTL formula ϕ ∈ LTLPNF(AP) using the (basic or refined) translationrules, then A is an acceptance closed self-loop alternating automaton withan f -representative state for all acceptance conditions f ∈ F for which ithas an f -state (Lemma 4.3.8, Proposition 5.4.3, Proposition 5.5.1). Fur-thermore, because all translation rules guarantee that the set of acceptanceconditions of every non-self-loop transition of A is empty, A is constructedsimplified in the sense of Corollary 2.3.20. Because no automaton built us-ing the translation rules obviously has any non-self-loop transitions to its ini-tial state, either, A satisfies the assumptions used in Proposition 6.2.7 andProposition 6.2.8 (for all acceptance conditions f ∈ F ). Therefore, all ofthese properties are preserved if one (or more) of the redundant initial tran-sitions of A is removed, provided that each of these transitions satisfies the


constraints given in Proposition 6.2.8. (By Proposition 6.2.9, these conditionsare guaranteed to hold for every transition that can be found to be redun-dant using Proposition 6.2.2 or a version of Proposition 6.2.3 strengthenedby removing the special case for transient states of the automaton.) As notedin Corollary 4.3.7, the simplified automaton can be translated into a fin-equivalent nondeterministic automaton using the optimized universal subsetconstruction of Theorem 4.3.2 without introducing new acceptance condi-tions; additionally, the simplified automaton can be used again in a furtherapplication of a translation rule.

6.2.6 Examples

In this section we illustrate the simplification of self-loop alternating au-tomata using Proposition 6.2.2 and Proposition 6.2.3 with several examples.

A Final Look at the Running Example

We first reconsider automata built in Ex. 5.6.1 (Sect. 5.6).

Example 6.2.10 As seen in Ex. 5.6.1, the LTL formula

ϕdef

≡((

⊥Rw (>Us p1))∧

(⊥Rw (>Us p2)

))∈ LTL

({p1, p2}

)

can be translated into a single-state automaton (repeated in Fig. 6.2 (a)) usingthe refined translation rules defined in Sect. 5.5 (Table 5.3). Let q denotethe unique state of this automaton. The transition relation of the automatonconsists of the self-loops t1 =

⟨q,>, {•, ◦}, {q}

⟩, t2 =

⟨q, p1, {◦}, {q}

⟩, t3 =⟨

q, p2, {•}, {q}⟩

and t4 =⟨q, (p1 ∧ p2), ∅, {q}

⟩.

Clearly, the guard of the transition t4 encodes the unique symbol {p1, p2}of the alphabet 2{p1,p2} of the automaton. Because

((p1 ∧ p2) → p1

)and(

(p1 ∧ p2) → p2

)are valid propositional implications (i.e.,

{{p1, p2}

}⊆{

{p1}, {p1, p2}}

and{{p1, p2}

}⊆

{{p2}, {p1, p2}

}hold) and because t2,

t3 and t4 share their target states, the transitions t2 and t3 are {p1, p2}-sub-stitutable under fin-acceptance for t4 in the automaton. Because the inter-section of the acceptance conditions of t2 and t3 is empty, it follows that theset of transitions {t2, t3} satisfies the preconditions of Proposition 6.2.3 on theunique symbol in the guard of t4. Therefore the transition t4 is redundant,and it can be removed from the automaton to obtain the automaton shownin Fig. 6.2 (b).

Joining the automaton in Fig. 6.2 (b) with the automaton in Fig. 6.2 (c)

(built for the formula ψdef

≡(p3 Rw (p4 Rs p5)

)in Sect. 5.6) using the transla-

tion rule for the ∨ connective yields the automaton shown in Fig. 6.2 (d) forthe formula (ϕ∨ψ). We can now apply Proposition 6.2.2 several times to re-move some of the initial transitions of this automaton: for example, because(p2 → >) is a valid propositional implication, the >-labeled initial non-self-loop of the automaton is {σ}-substitutable for the initial transition with guardp2 (under fin-acceptance, because the transitions share their target state) forall σ ∈ 2{p1,p2} such that σ |= p2 holds, and thus the latter transition can beremoved from the automaton by Proposition 6.2.2. Two further applicationsof this result then yield the automaton shown in Fig. 6.2 (e). �


> p2

(p1 ∧ p2) p1

> p2

p1

p5 (p4 ∧ p5)

(p3 ∧ p5)

(p3 ∧ (p4 ∧ p5)

)

p5(p4 ∧ p5)

(a) (b) (c)

>

>p2

p2

p1

p1

p5

p5

(p4 ∧ p5)

(p4 ∧ p5)

(p3 ∧ p5)(p3 ∧ p5)

(p3 ∧ (p4 ∧ p5)

)

(p3 ∧ (p4 ∧ p5)

)

p5(p4 ∧ p5)

(d)

>

> p2

p1

p5

p5

(p4 ∧ p5)

(p3 ∧ p5)(p3 ∧ p5)

(p3 ∧ (p4 ∧ p5)

)

(p3 ∧ (p4 ∧ p5)

)

p5(p4 ∧ p5)

(e)

Fig. 6.2: Using Proposition 6.2.2 and Proposition 6.2.3 to optimize translation ofLTL formulas into self-loop alternating automata. (a) Automaton built for the for-

mula ϕdef

≡((

⊥Rw (>Us p1))∧

(⊥Rw (>Us p2)

))in Sect. 5.6; (b) Automaton

obtained from (a) by applying Proposition 6.2.3; (c) Automaton built for the for-

mula ψdef

≡(p3 Rw (p4 Rs p5)

)in Sect. 5.6; (d) Automaton built from (b) and (c) for

the formula (ϕ ∨ ψ); (e) Automaton obtained from (d) by repeated application ofProposition 6.2.2


¬p1

¬p1 p1

p2 p3

>

> ¬p1

¬p1

p2 p3

>

p1 ¬p1

¬p1

p2 p3

p1

(a) (b) (c)

Fig. 6.3: Using Proposition 6.2.2 and Proposition 6.2.3 to find redundant initialtransitions that cannot be detected using the stronger notion of substitutability men-tioned at the end of Sect. 6.2.3. (a) A self-loop alternating automaton; (b) Automatonobtained from (a) by applying Proposition 6.2.3; (c) Automaton obtained from (b)by applying Proposition 6.2.2

Comparison between Notions of Transition SubstitutabilityAs a matter of fact, the previous example remains the same when usingthe stronger notion of substitutability (i.e., Γ-substitutability with respect tothe guard Γ of a transition instead of {σ}-substitutability on individual sym-bols σ ∈ Γ) mentioned at the end of Sect. 6.2.3 (p. 167) when applyingProposition 6.2.2 and Proposition 6.2.3. In some cases, however, the weakernotion of substitutability is necessary to detect the redundancy of a transitionusing Proposition 6.2.2 or Proposition 6.2.3.

Example 6.2.11 Consider the self-loop alternating automaton (with the al-phabet 2{p1,p2,p3}) shown in Fig. 6.3 (a). (This automaton can be obtainedby translating the LTL formula

((p1 ∨ Xp2) Rw (¬p1 ∨ Xp3)

)into a self-loop

alternating automaton and then simplifying the guards of its transitions asdescribed in Sect. 5.1.2; the basic and the refined translation rules yield thesame automaton for this LTL formula.) Denote the initial state of the au-tomaton by qI , and denote the two other states of the automaton (from leftto right) by q1 and q2. The initial transitions of the automaton can thenbe written as t1 =

⟨qI ,¬p1, ∅, {qI}

⟩(the initial self-loop of the automa-

ton with guard ¬p1), t2 =⟨qI ,>, ∅, {qI , q2}

⟩(the other initial self-loop),

t3 =⟨qI , p1, ∅, {q2}

⟩(the transition with guard p1), t4 =

⟨qI ,¬p1, ∅, {q1}

⟩

(the non-self-loop transition with guard ¬p1) and t5 =⟨qI ,>, ∅, {q1, q2}

⟩.

Clearly, the guard Γ2 of the transition t2 contains all symbols of the au-tomaton’s alphabet (i.e., Γ2 = 2{p1,p2,p3} holds). It is easy to see that thetransition t1 is {σ}-substitutable for the transition t2 for all σ ∈ Γ2 such thatp1 /∈ σ holds. Because the transition t3 is substitutable for t2 on the remain-ing symbols in Γ2 and because the target state sets of t1 and t3 are subsets ofthe target state set of the transition t2, it follows that for all σ ∈ Γ2, one of thetransitions t1 and t3 is {σ}-substitutable for t2 under fin-acceptance (the con-dition on fin-acceptance follows directly by Corollary 6.2.6). Because the au-tomaton has no acceptance conditions, it is easy to see that there exists (for allsymbols σ ∈ Γ2) a set of transitions ({t1} or {t3}) that satisfies the conditionsrequired in Proposition 6.2.3 (using the self-loop t2 as the substituted transi-tion). Therefore the transition t2 is redundant; removing this transition fromthe automaton yields the automaton shown in Fig. 6.3 (b). (Note that the


redundancy of t2 cannot be shown with Proposition 6.2.3 using the strongernotion of Γ2-substitutability, because neither t1 nor t3 is Γ2-substitutable fort2 in A.)

Similarly, it is straightforward to check that the transition t3 is {σ}-substi-tutable under fin-acceptance also for the transition t5 for all σ ∈ 2{p1,p2,p3}

such that p1 ∈ σ holds. Because the transition t4 is {σ}-substitutable underfin-acceptance for t5 on the remaining symbols in the guard of t5, it follows(by Proposition 6.2.2, because neither of the transitions t3 or t4 is a self-loop)that also the transition t5 is redundant and can be removed from the automa-ton as shown in Fig. 6.3 (c). (As above, neither t3 nor t4 is substitutable byitself for t5 on all symbols in the guard of t5.) �

Comparison with the Translation of Gastin and Oddoux [2001]The following examples demonstrate cases in which the refined translationrules—combined with transition removal using Proposition 6.2.3 using a re-stricted notion of transition substitutability suggested by Gastin and Oddoux[2001]—yield automata with a polynomial number of transitions for certainLTL formulas for which this notion of substitutability does not allow any sim-plification of the automata built for the same formulas using the basic rules,leading to an exponential blow-up in the number of transitions instead. Be-cause the basic translation rules given in Sect. 3.1 are essentially identical tothe ones used by Gastin and Oddoux [2001] in their translation, we obtainin this way a comparison of our refined translation against their translationprocedure. Incidentally, the families of formulas in the examples are virtuallythe same as those used by Gastin and Oddoux [2001] for benchmarking theirimplementation against other implementations.

For convenience, we shall write guards of transitions using set notation:for a formula θ ∈ PL(AP), we write Γθ ⊆ 2AP as the set of models of θ;obviously, Γ> ∩ Γ = Γ holds for all Γ ⊆ 2AP . Additionally, we say that atransition t′ = 〈q′,Γ′, F ′, Q′′〉 of a self-loop alternating automaton is substi-tutable for another transition t = 〈q,Γ, F,Q′〉 of the automaton in the senseof Gastin and Oddoux iff t′ is Γ-substitutable for t in the usual sense (i.e., ift′ 6= t, q′ = q and Γ ⊆ Γ′ hold), and Q′′ ⊆ Q′ holds. (By Corollary 6.2.6, itis immediate that substitutability in the sense of Gastin and Oddoux impliessubstitutability under fin-acceptance.)

Example 6.2.12 Let {ϕn}1≤n<ω be the family of LTL formulas over the setof atomic propositions AP = {p1, p2, p3, . . .} defined inductively by the rules

ϕ1def= GFp1, and

ϕi+1def= (ϕi ∧ GFpi) for all 1 ≤ i < ω,

where, as usual, GFpi is a shorthand for the formula(⊥Rw (>Us pi)

)for

all 1 ≤ i < ω. Formulas in this family appear in formulas of the form¬((∧ni=1 GFpi) → ψ

)(for a fixed formula ψ) used by Gastin and Oddoux

[2001] in their benchmarks.

(Translation using the basic rules) It is easy to check that the automaton

built for a formula GFpi for any 1 ≤ i < ω using the basic translation ruleshas two initial transitions

{⟨qGFpi

,Γ>, ∅, {qGFpi, qFpi

}⟩,⟨qGFpi

,Γpi, ∅, {qGFpi

}⟩}


(where we write qψ for the initial state of the automaton built for the formulaψ); see Fig. 3.2 (c) on p. 46 for illustration. It is easy to see that neitherof these transitions is substitutable for the other in the sense of Gastin andOddoux since neither Γ> ⊆ Γpi

nor {qGFpi, qFpi

} ⊆ {qFpi} hold.

Let 1 ≤ i < ω. Assume that every initial transition of the automatonAϕi

built for the formula ϕi has an empty set of acceptance conditions anda nonempty guard Γ such that for all σ ∈ 2AP and j > i, σ ∈ Γ holdsonly if both σ ∪ {pj} ∈ Γ and σ \ {pj} ∈ Γ hold (i.e., the guard doesnot “depend” on the proposition pj). Assume also that no initial transitionof the automaton Aϕi

built for the formula ϕi is substitutable for anotherone of these transitions in the sense of Gastin and Oddoux. Therefore noneof these transitions is redundant under this notion of substitutability. It iseasy to check that all of these properties hold for the initial transitions of theautomaton Aϕ1 .

Applying the basic translation rule for the ∧ connective (Table 3.1) to theautomata built for the formulas ϕi and GFpi+1 yields an automaton Aϕi+1

having the initial transitions{⟨qϕi+1

,Γ, ∅, Q′ ∪ {qGFpi+1, qFpi+1

}⟩

〈qϕi,Γ, ∅, Q′〉 is an initial transition of Aϕi

}

∪{⟨qϕi+1

,Γ ∩ Γpi+1, ∅, Q′ ∪ {qGFpi+1

}⟩

〈qϕi,Γ, ∅, Q′〉 is an initial transition of Aϕi

}.

Denote the two components in this set union by ∆i+1,1 and ∆i+1,2, respec-tively. Clearly, the set of acceptance conditions of all initial transitions ofAϕi+1

is empty, and by the induction hypothesis, it is easy to see that everyinitial transition of Aϕi+1

has a nonempty guard Γ such that for all j > i+ 1and σ ∈ 2AP , σ ∈ Γ holds only if both σ ∪ {pj} and σ \ {pj} hold.

Suppose that there exists a pair of transitions t1 = 〈qϕi+1,Γ1, ∅, Q

′1〉, t2 =

〈qϕi+1,Γ2, ∅, Q

′2〉 ∈ ∆i+1,1 ∪∆i+1,2 such that the transition t2 is substitutable

for the transition t1 in the sense of Gastin and Oddoux. Then t1 6= t2, Γ1 ⊆Γ2, and Q′

2 ⊆ Q′1 hold. From the above definition of the initial transitions

of Aϕi+1it follows that the automaton Aϕi

has a pair of initial transitions

t1 = 〈qϕi, Γ1, ∅, Q1〉 and t2 = 〈qϕi

, Γ2, ∅, Q2〉 for some Γ1, Γ2 ⊆ 2AP and

Q1, Q2 ⊆ Qϕi(the state set of Aϕi

, which contains neither qGFpi+1nor qFpi+1

).There are the following cases:

(t1 ∈ ∆i+1,1, t2 ∈ ∆i+1,2) In this case Γ1 = Γ1 and Γ2 = Γ2 ∩Γpi+1. By

the induction hypothesis, there exists a σ ∈ 2AP such that σ ∈ Γ1 = Γ1

holds, and thus also σ \ {pi+1} ∈ Γ1 holds. But then it cannot be the casethat Γ1 ⊆ Γ2 (⊆ Γpi+1

) holds, contradictory to the assumption that thetransition t2 is substitutable for the transition t1.

(t1 ∈ ∆i+1,2, t2 ∈ ∆i+1,1) This case is impossible, because qFpi+1∈ Q′

2\

Q′1, and therefore Q′

2 cannot be a subset of Q′1.

(t1, t2 ∈ ∆i+1,j for some j ∈ {1, 2}) In this case either Γ1 = Γ1 and

Γ2 = Γ2 (j = 1), or Γ1 = Γ1 ∪{σ \ {pi+1} σ ∈ Γ1

}and Γ2 = Γ2 ∪{

σ \ {pi+1} σ ∈ Γ2

}(j = 2), and Q1 = Q′

1 \ Q and Q2 = Q′2 \ Q for

some nonempty set Q ⊆ {qGFpi+1, qFpi+1

}. (The transitions t1 and t2 arenecessarily distinct, since otherwise it would be the case that t1 = t2).


But then, because Γ1 ⊆ Γ2 and Q′2 ⊆ Q′

1 hold, it follows that Γ1 ⊆ Γ2

and Q2 ⊆ Q1, contradictory to the assumption that no initial transition ofthe automaton Aϕi

is substitutable for another in the sense of Gastin andOddoux.

It follows that ∆i+1,1 ∪ ∆i+1,2 contains no pairs of initial transitions, oneof which would be substitutable for the other in the sense of Gastin andOddoux; by induction, this result holds for all 1 ≤ i < ω. Because theautomaton Aϕi

has two initial transitions for all 1 ≤ i < ω, it follows (byan argument analogous to the one used in Ex. 3.2.4 in Sect. 3.2.2) that theautomaton Aϕi

has 2i initial transitions for all 1 ≤ i < ω.

(Translation using the refined rules) As observed in Sect. 5.6.3, every for-

mula ϕi (1 ≤ i < ω) belongs to a subclass of formulas that can be translatedinto a single-state automaton using the refined translation rules (see, for ex-ample, Fig. 5.8 (c) and Fig. 5.8 (d) on page 146 for the cases i = 1 and i = 2,respectively). However, it is clear from the definition of the refined transla-tion rule for the ∧ connective (Table 5.2) that the automaton built for theformula ϕi will still have an exponential number of initial transitions in i ifno redundant transitions can be removed from the automaton.

The formula ϕ2 has previously appeared as a subformula in our runningexample considered in Ex. 3.1.1, Ex. 5.6.1 and Ex. 6.2.10. In the last of theseexamples, we used Proposition 6.2.3 to eliminate one of the initial transitionsof the automaton built for the formula ϕ2 (see Fig. 6.2 (a) and Fig. 6.2 (b)).As we now show, this simplification is a special case of a general patternconcerning the construction of an automaton for the formula ϕi+1 from theautomaton built for the formulas ϕi and GFpi+1.

Suppose that Aϕi=

⟨2AP , {qϕi

},∆ϕi, qϕi

,Fϕi

⟩(1 ≤ i < ω) is a single-

state automaton built for the formula ϕi with initial state qϕi, i acceptance

conditions Fϕi= {f1, f2, . . . , fi}, and i+1 initial self-loop transitions ∆ϕi

={t0, t1, . . . , ti}, where t0 =

⟨qϕi,Γ>,Fϕi

, {qϕi}⟩, and tj =

⟨qϕi,Γpj

,Fϕi\

{fj}, {qϕi}⟩

for all 1 ≤ j ≤ i. Clearly, the automaton Aϕ1 built for theformula ϕ1 using the refined translation rules is of this form (cf. Fig. 5.8 (c)).We show that joining the automaton Aϕi

with an automaton built for the for-mula GFpi+1 using the refined rule for the ∧ connective (Table 5.2) yields anautomaton which can be simplified to the form Aϕi+1

by repeatedly applyingProposition 6.2.3 to remove some of its initial transitions, using the notion oftransition substitutability in the sense of Gastin and Oddoux. By induction, itthen follows that the automaton built in this way for the formula ϕi will havei + 1 instead of 2i (initial) transitions for all 1 ≤ i < ω. (It can be checkedthat ∆ϕi

contains no redundant transitions.)

Clearly, the automaton built for the formula GFpi+1 using the refinedtranslation rules is structurally identical to the automaton Aϕ1 except for theguards and acceptance conditions associated with its transitions: more pre-cisely, the transition relation of this automaton consists of two initial self-looptransitions with guards Γ> and Γpi+1

, respectively, such that the transitionwith guard Γ> has also an associated acceptance condition fi+1 (not includedin Fϕi

, the acceptance conditions of the automaton Aϕi). Applying the re-

fined ∧ translation rule (Table 5.2) to the automaton Aϕiand this automa-

ton yields an automaton Aϕi+1=

⟨2AP , {qϕi+1

}, ∆ϕi+1, qϕi+1

,Fϕi∪ {fi+1}

⟩,


where

∆ϕi+1=

{⟨qϕi+1

,Γ>,Fϕi∪ {fi+1}, {qϕi+1

}⟩,⟨qϕi+1

,Γpi+1,Fϕi

, {qϕi+1}⟩

︸︷︷︸ti+1,0

}

∪{⟨qϕi+1

,Γpj, (Fϕi

\ {fj}) ∪ {fi+1}, {qϕi+1}⟩

︸︷︷︸ti+1,j

1 ≤ j ≤ i}

∪{⟨qϕi+1

,Γpj∩ Γpi+1

,Fϕi\ {fj}, {qϕi+1

}⟩

︸︷︷︸t′i+1,j

1 ≤ j ≤ i}

.

Let 1 ≤ j ≤ i. Comparing the guard of the transition t′i+1,j with the guardof ti+1,0 and ti+1,j, we see that Γpj

∩ Γpi+1⊆ Γpi+1

and Γpj∩ Γpi+1

⊆ Γpj

hold. Therefore, because all transitions in ∆ϕi+1share their set of target

states, it follows that the transitions ti+1,0 and ti+1,j are substitutable for thetransition t′i+1,j in the sense of Gastin and Oddoux. Furthermore, becausethe intersection of the acceptance conditions of ti+1,0 and ti+1,j equals Fϕi

\{fj} (that is, the set of acceptance conditions of t′i+1,j), the transition t′i+1,j

satisfies the requirements of Proposition 6.2.3 (using the set {ti+1,0, ti+1,j} asthe set Tσ for all σ ∈ Γpj

∩ Γpi+1). Therefore, the transition t′i+1,j may be

removed from ∆ϕi+1. By repeating the same consideration for all 1 ≤ j ≤ i,

we obtain the transition relation

∆′ϕi+1

={⟨qϕi+1

,Γ>,Fϕi+1, {qϕi+1

}⟩}

∪{⟨qϕi+1

,Γpj,Fϕi+1

\ {fj}, {qϕi+1}⟩

1 ≤ j ≤ i+ 1}

,

which is of the desired form ∆ϕi+1if we define Fϕi+1

def= Fϕi

∪ {fi+1}. �

Example 6.2.13 Let {ϕn}2≤n<ω be a family of LTL formulas over the set ofatomic propositions AP = {p1, p2, p3, . . .} defined inductively by the rules

ϕ2def= (p2 Rw p1), and

ϕi+1def= (pi+1 Rw ϕi) for all 2 ≤ i < ω.

(Again, this family of LTL formulas is essentially identical to a family of for-mulas of the form ¬

(p1 Us (p2 Us (. . . Us pn) . . .)

)considered previously by

Gastin and Oddoux [2001]; obviously, the positive normal form of any for-mula of this form can be identified with the formula ϕn by renaming itsliterals.)

For all 1 ≤ i < ω, let qpiand ∆I

pibe the initial state and the set of

initial transitions (respectively) of the alternating automaton built for theatomic proposition pi ∈ AP using the translation rules. Clearly, ∆I

pi={

〈qpi,Γpi

, ∅, ∅〉}

for all 1 ≤ i < ω.

(Translation using the basic rules) Let qϕiand ∆I

ϕidenote the initial state

and the set of initial transitions (respectively) of the automaton built for theformula ϕi (2 ≤ i < ω) using the basic translation rules from Sect. 3.1. It isstraightforward to check from the definition of the basic translation rule forthe Rw connective (Table 3.1, p. 44) that

∆Iϕ2

={⟨qϕ2 ,Γp1, ∅, {qϕ2}

⟩, 〈qϕ2,Γp2 ∩ Γp1, ∅, ∅〉

}holds, and

∆Iϕi+1

={⟨qϕi+1

,Γ, ∅, Q′ ∪ {qϕi+1}⟩

〈qϕi,Γ, F,Q′〉 ∈ ∆I

ϕi

}

∪{〈qϕi+1

,Γpi+1∩ Γ, ∅, Q′〉〈qϕi

,Γ, F,Q′〉 ∈ ∆Iϕi

}


holds for all 2 ≤ i < ω. Denote the two components of ∆Iϕi+1

in the above

equation by ∆slϕi+1

and ∆nslϕi+1

; obviously, ∆slϕi+1

consists of the initial self-

loops of the automaton built for the formula ϕi+1, and ∆nslϕi+1

comprises thoseinitial transitions of the automaton that are not self-loops. It is easy to checkby induction on i that |∆I

ϕi| = 2i−1 holds for all 2 ≤ i < ω, and Γ 6= ∅ holds

for every guard Γ of a transition in ∆Iϕi

. Furthermore, for all 2 ≤ i < j < ω,σ ∈ 2AP and t = 〈q,Γ, F,Q′〉 ∈ ∆I

ϕi, σ ∈ Γ holds only if both σ ∪ {pj} ∈ Γ

and σ \ {pj} ∈ Γ hold.We claim that for all 2 ≤ i < ω and all pairs of transitions t1, t2 ∈ ∆I

ϕi

(t1 6= t2), the transition t2 is not substitutable for the transition t1 in the senseof Gastin and Oddoux. Suppose that there exists a least index 2 ≤ i < ωsuch that ∆I

ϕicontains a pair of transitions t1 = 〈qϕi

,Γ1, F1, Q′1〉 ∈ ∆I

ϕi

and t2 = 〈qϕi,Γ2, F2, Q

′2〉 ∈ ∆I

ϕi(t1 6= t2) such that the transition t2 is

substitutable for the transition t1 in the sense of Gastin and Oddoux, i.e.,Γ1 ⊆ Γ2 and Q′

2 ⊆ Q′1 hold. Obviously, this cannot be the case if i = 2,

because Γp1 6⊆ Γp2 ∩ Γp1 and {qϕ2} 6⊆ ∅. Therefore i > 2 holds. There arethe following cases:

(t1 ∈ ∆slϕi, t2 ∈ ∆nsl

ϕi) By the definition of ∆I

ϕi, Γ1 is the guard of a tran-

sition in ∆Iϕi−1

in this case. Because Γ1 6= ∅ holds, σ ∈ Γ1 holds for someσ ∈ 2AP ; then also σ \ {pi} ∈ Γ1 holds. But then σ /∈ Γ2 holds, becauseobviously σ′ ∈ Γ2 holds only if pi ∈ σ′. Therefore Γ1 6⊆ Γ2, contrary tothe assumption.

(t1 ∈ ∆nslϕi, t2 ∈ ∆sl

ϕi) In this case qϕi

∈ Q′2 holds, because t2 is a self-

loop. Because t1 is not a self-loop, however, qϕi/∈ Q′

1 holds. But then itcannot be the case that Q′

2 ⊆ Q′1 holds.

(t1, t2 ∈ ∆slϕi

) By the definition of ∆Iϕi

, ∆Iϕi−1

contains initial transitions

t1 = 〈qϕi−1,Γ1, F1, Q1〉 ∈ ∆I

ϕi−1and t2 = 〈qϕi−1

,Γ2, F2, Q2〉 ∈ ∆Iϕi−1

such that Q1 = Q′1 \ {qϕi

} and Q2 = Q′2 \ {qϕi

} hold; because t1 6= t2holds, t1 6= t2 holds. Because Γ1 ⊆ Γ2 and Q2 = Q′

2 \ {qϕi} ⊆ Q′

1 \

{qϕi} = Q1 hold, the transition t2 is substitutable for t1 in the sense of

Gastin and Oddoux. But then i is cannot the least index for which ∆Iϕi

contains a pair of transitions, one of which is substitutable for the other inthis sense.

(t1, t2 ∈ ∆nslϕi

) In this case the automaton built for the formula ϕi−1 has

the initial transitions t1 = 〈qϕi−1, Γ1, F1, Q

′1〉 ∈ ∆I

ϕi−1and t2 = 〈qϕi−1

, Γ2,

F2, Q′2〉 ∈ ∆I

ϕi−1such that Γ1 = Γpi

∩ Γ1 and Γ2 = Γpi∩ Γ2 hold. Clearly,

t1 6= t2 holds, since otherwise also t1 and t2 would be identical transitions.Suppose that σ ∈ Γ1 holds for some σ ∈ 2AP . Then also σ ∪ {pi} ∈ Γ1

holds, and thus σ ∪ {pi} ∈ Γpi∩ Γ1 = Γ1 ⊆ Γ2 = Γpi

∩ Γ2 ⊆ Γ2. But

then also(σ ∪ {pi}

)\ {pi} = σ ∈ Γ2. It follows that Γ1 ⊆ Γ2 holds,

and because Q′2 ⊆ Q′

1 holds, the transition t2 is substitutable for t1 in thesense of Gastin and Oddoux. Similarly to the previous case, i cannot bethe least index for which ∆I

ϕicontains two transitions, one of which can

be substituted for the other.Because all cases yield a contradiction, it follows that no transition in ∆I

ϕi

is substitutable for another transition in the sense of Gastin and Oddoux; by


induction, the claim holds for all 2 ≤ i < ω. Therefore, transition sub-stitutability in the sense of Gastin and Oddoux does not help in removinginitial transitions (by applying Proposition 6.2.2 or Proposition 6.2.3) fromautomata built for formulas in the family {ϕn}2≤n<ω using the basic transla-tion rules, and it follows that the number of transitions in the automaton builtfor the formula ϕi is exponential in i. More precisely, it is straightforward tocheck that the subautomaton rooted at the initial state of the automaton builtfor the formula ϕi (2 ≤ i < ω) has

∑i

j=2 |∆Ij | =

∑i

j=2 2j−1 = 2i−2 ∈ O(2i)

transitions (for all 3 ≤ i < ω, ∆Iϕi

contains a transition having the initial stateof the automaton built from the formula ϕi−1 as a target state).

(Translation using the refined rules) We now consider the translation of

formulas in the family {ϕn}2≤n<ω into alternating automata using a refinedtranslation rule for the Rw connective from Table 5.3 (p. 143). (We use therule that does not involve assumptions on language containment; it can beshown that the other rule is never applicable when working with subformulasof formulas in the family.) As above, let qϕi

and ∆Iϕi

(2 ≤ i < ω) denote theinitial state and the initial transitions of an automaton built for the formulaϕi. Obviously, the automaton built for the formula ϕ2 is identical to the onebuilt using the basic translation procedure, i.e.,

∆Iϕ2

={⟨qϕ2 ,Γp1, ∅, {qϕ2}

⟩, 〈qϕ2,Γp2 ∩ Γp1, ∅, ∅〉

}

holds also in this case.Let 2 ≤ i < ω. Assume that ∆I

ϕicontains the self-loop

⟨qϕi,Γp1, ∅, {qϕi

}⟩,

and Γ ⊆ Γp1 holds for all guards Γ of transitions in ∆Iϕi

. (Clearly, theseassumptions hold if i = 2.)

Let ∆Iϕi+1

be the set of initial transitions in the automaton built for theformula ϕi+1 by applying the refined translation rule for the Rw connective todefine ∆I

ϕi+1from ∆I

pi+1and ∆I

ϕi. From the definition of the rule (Table 5.3)

it follows that

∆Iϕi+1

={⟨qϕi+1

,Γ, F, (Q′ \ {qϕi}) ∪ {qϕi+1

}⟩

〈qϕi,Γ, F,Q′〉 ∈ ∆I

ϕi

}

∪{〈qϕi+1

,Γpi+1∩ Γ, ∅, Q′〉〈qϕi

,Γ, F,Q′〉 ∈ ∆Iϕi

}.

It now follows from the assumptions that ∆Iϕi+1

contains the self-loop t =⟨qϕi+1

,Γp1, ∅, {qϕi+1}⟩, and Γ ⊆ Γp1 holds also for all guards Γ of transi-

tions in ∆Iϕi+1

. Furthermore, the self-loop t is substitutable for all self-loops

in ∆Iϕi+1

\ {t} in the sense of Gastin and Oddoux, since all self-loops in

∆Iϕi+1

are of the form⟨qϕi+1

,Γ, F, (Q′ \ {qϕi})∪{qϕi+1

}⟩

for some transition〈qϕi

,Γ, F,Q′〉 ∈ ∆Iϕi

: by the above observation, Γ ⊆ Γp1 holds, and obviouslyalso {qϕi+1

} ⊆ (Q′ \ {qϕi}) ∪ {qϕi+1

} holds. Because the set of acceptanceconditions of the transition t is empty, it follows by Proposition 6.2.3 that allself-loops in ∆I

ϕi+1\ {t} are redundant. We may thus write the set of ini-

tial transitions in the automaton built for the formula ϕi+1 (after removingredundant transitions) as

∆Iϕi+1

={⟨qϕi+1

,Γp1, ∅, {qϕi+1}⟩}

∪{〈qϕi+1

,Γpi+1∩ Γ, ∅, Q′〉〈qϕi

,Γ, F,Q′〉 ∈ ∆Iϕi

}.


Because ∆Iϕi+1

contains the self-loop⟨qϕi+1

,Γp1, ∅, {qϕi+1}⟩, and because

Γ ⊆ Γp1 holds for all guards Γ of transitions in ∆Iϕi+1

, the above equalityholds for all 2 ≤ i < ω by induction on i.

It is straightforward to check (using similar arguments as for the basic trans-lation rules) that no transition in ∆I

ϕi+1is substitutable for another transition

in ∆Iϕi+1

in the sense of Gastin and Oddoux. Because no two distinct tran-sitions in ∆I

ϕimap into the same transition in ∆I

ϕi+1in the definition of

∆Iϕi+1

, it follows that |∆Ii | = i holds in this case for all 2 ≤ i < ω (clearly,

|∆Iϕ2| = 2 holds, and if |∆I

ϕi| = i holds for some 2 ≤ i < ω, then obviously

|∆Iϕi+1

| = i+1). It is easy to check that the subautomaton rooted at the initialstate of the automaton built in this way for the formula ϕi (2 ≤ i < ω) then

has∑i

j=2 |∆Ij | =

∑i

j=2 j = i·(i+1)2

− 1 ∈ O(i2) transitions (again, it is easy tocheck that ∆I

ϕicontains a transition having the initial state of the automaton

built from the formula ϕi−1 as a target state for all 3 ≤ i < ω). As a matterof fact, it is actually the case that the automaton built for the formula ϕi hasno transitions with two or more target states: thus every formula in the fam-ily {ϕn}2≤n<ω can be translated into a self-loop nondeterministic automatonwith a linear number of states in the length of the formula. �

Not All Redundant Initial Transitions Can Be DetectedAll previous examples in this section were based on using Proposition 6.2.2and Proposition 6.2.3 to detect redundant initial transitions in self-loop al-ternating automata. It is nevertheless easy to show that these results are notpowerful enough for finding all redundant initial transitions in self-loop al-ternating automata.

Example 6.2.14 Figure 6.4 (a) depicts the self-loop alternating automa-ton built from the LTL formula

((⊥Rw (p1 ∧ p2)) Rw p1

)using the refined

translation rules. It is easy to see that this automaton fin-accepts a wordw ∈ (2{p1,p2})ω iff p1 ∈ w(i) holds for all 0 ≤ i < ω. Therefore the au-tomaton is fin-equivalent to the automaton obtained from it by removing itsinitial non-self-loop transition (Fig. 6.4 (b)). Hence, this transition is redun-dant; however, neither Proposition 6.2.2 nor Proposition 6.2.3 applies in thiscase (the only transition that can be substituted for the transition under fin-acceptance is a self-loop, but the substituted transition itself is not a self-loop).

�


p1

(p1 ∧ p2)

(p1 ∧ p2)

p1

(a) (b)

Fig. 6.4: Not all redundant initial transitions of self-loop alternating automata can bedetected by applying Proposition 6.2.2 or Proposition 6.2.3. (a) Self-loop alternatingautomaton built from the formula

((⊥Rw (p1∧p2))Rw p1

); (b) Automaton obtained

from (a) by removing a redundant initial transition that cannot be detected using oneof the propositions

7 A HIGH-LEVEL REFINED TRANSLATION PROCEDURE

In this short chapter we summarize how the results presented in the twoprevious chapters can be combined with the translation procedure from LTLinto self-loop alternating automata.

Let ϕ ∈ LTL(AP) be an LTL formula over the atomic propositions AP .The translation of the formula ϕ into a self-loop alternating automaton startsby rewriting ϕ in positive normal form (optionally, applying syntactic opti-mizations to the formula as is common in translation algorithms [Etessamiand Holzmann 2000; Somenzi and Bloem 2000; Thirioux 2002]). Let ϕ′ bethe formula (in positive normal form) obtained from this rewriting step. Aself-loop alternating automaton for the formula ϕ′ can then be defined byrepeating the following high-level steps:

1. Choose a formula ψ ∈ NSub(ϕ′) that has not yet been translated intoan automaton such that automata for all top-level subformulas of ψhave already been constructed. If ψ is an atomic formula, build asingle-state automaton for ψ using the translation rule for the atomicformulas (Sect. 3.1) and repeat from this step.

2. Check whether any of the identities discussed in Sect. 5.3 apply to ψby analyzing the automata built for the top-level subformulas of ψ; if ψreduces to a formula for which an automaton already exists, reuse thatautomaton for ψ and return to step 1.

3. Choose a translation rule according to the main connective of ψ andthe relationship between the top-level subformulas of ψ (Table 3.1,Table 5.2, Table 5.3) and apply it to the automata built for the top-level subformula(s) of ψ to obtain an automaton Aψ.

4. Remove redundant initial transitions from Aψ as discussed in Sect. 5.1and Sect. 6.1 (by applying Corollary 2.3.11 and the results proved inProposition 6.2.2, Proposition 6.2.3 and Sect. 6.2.5).

5. Repeat from step 1 until Aϕ′ has been constructed.

182 7. A HIGH-LEVEL REFINED TRANSLATION PROCEDURE

In principle, the above procedure can easily be augmented with additionalminimization tests, for example, to reduce Aψ into a single-state automatoncorresponding to one of the Boolean constants if it accepts the empty or theuniversal language. Furthermore, instead of only removing redundant tran-sitions from the automaton, it is possible to use language containment testsalso for replacing states systematically with their language-equivalent repre-sentatives in each remaining transition or to reduce the number of targetstates in the transitions [Rohde 1997].

As observed in Sect. 5.2 and Sect. 6.2.4, every language containment testapplied in the above procedure can be reduced to testing the emptiness ofthe set intersection of languages recognized by self-loop alternating automatabuilt from subformulas of the formula ϕ′ or the positive normal forms of theirnegations. Because the formula ϕ′ is known at the beginning of the transla-tion, these automata can be found directly by recursive invocations of theabove translation procedure. The number of these invocations is obviouslybounded by 2 · |NSub(ϕ′)| if no automaton built in the translation is dis-carded until the end of the translation. The collection of the self-loop alter-nating automata built in the translation can then be seen as a single self-loopalternating automaton A having at most 2 · |NSub(ϕ′)| states correspondingto formulas in the set NSub(ϕ′) ∪ NSub

([¬ϕ′]PNF

). Every collection of al-

ternating automata referred to in a test for language emptiness can then beseen as a collection of subautomata of the underlying automaton A.

To effectively check whether the set intersection of languages recognizedby a collection of subautomata of A (determined by a set Q of their initialstates) is empty, it is now straightforward to apply a language emptiness check-ing procedure for nondeterministic automata to the subautomaton rooted atthe state Q of the nondeterministic automaton A′ built from A by applyingthe universal subset construction, since Lfin

((A′)Q

)=

⋂q∈QLfin(A

q) holdsby Proposition 4.4.1 (Sect. 4.4). (Because all translation rules and simplifi-cation techniques used in the above procedure generate acceptance closedself-loop alternating automata with representative states for all of their ac-ceptance conditions, the automaton A can be nondeterminized without in-troducing new acceptance conditions as observed in Corollary 4.3.7; alsothe optimizations presented in Sect. 4.5 apply to the nondeterminizationprocedure.) As usual, the universal subset construction can be embeddeddirectly into a language emptiness checking algorithm for nondeterministicautomata which is then invoked incrementally on subautomata of the au-tomaton A′ during the translation procedure. In particular, language empti-ness checking algorithms based on Tarjan’s algorithm for finding the stronglyconnected components of a directed graph [Tarjan 1971, 1972] are easilyadaptable to compute the answer to the language emptiness question for theautomaton (A′)Q together with all of its subautomata in the same pass of thestate space of the automaton (A′)Q. (Of the emptiness checking algorithmsbased on finding the strongly connected components of a nondeterministicautomaton [Couvreur 1999; Geldenhuys and Valmari 2004, 2005; Hammeret al. 2005; Schwoon and Esparza 2005; Couvreur et al. 2005], the algorithmof Couvreur [1999]—see also [Couvreur et al. 2005]—is perhaps best com-patible with our definition of automata since it applies directly to automatawith generalized transition-based acceptance.) Again, if no subautomaton of

7. A HIGH-LEVEL REFINED TRANSLATION PROCEDURE 183

the nondeterministic automaton is discarded in the translation, all languageemptiness checks can thus be handled (in effect) in a single invocation of alanguage emptiness checking algorithm on the nondeterministic automatonA′ (which has at most 22·|NSub(ϕ′)| states). Technically, even though the struc-ture of the underlying alternating automaton A may change between invo-cations of an emptiness checking procedure (for example, if some transitionsare removed from the automaton), it is nevertheless not necessary to repeata language emptiness check for any collection of subautomata of A becauseall of our simplifications preserve the language of each subautomaton of A.

The language containment based optimizations used in the high-leveltranslation procedure do not affect the order of the upper bound for thenumber of recursive invocations of the basic translation procedure, or thenumber of states in a nondeterministic automaton built in the translation ofan LTL formula into a nondeterministic automaton via a self-loop alternat-ing automaton (these upper bounds remain of the order O

(|NSub(ϕ′)|

)and

2O(|NSub(ϕ′)|), respectively). Nevertheless, it is to be expected that this trans-lation procedure is realistically applicable in practice only to small probleminstances. Because the translation procedure enhanced with language con-tainment based optimizations is intuitively more prone to perform the worst-case amount of work than the basic translation procedure, the performancepenalty resulting from repeated unsuccessful language containment tests islikely to become clearly visible in practice (in favor of a procedure with-out language containment based optimizations) in cases where the languagecontainment tests fail to discover opportunities for simplification.

By the design of our language containment based optimizations, every op-timization depends on a positive answer to a question on language contain-ment (equivalently, language emptiness) in order to be applicable. Thereforeit is always safe to assume the answer to such a question to be negative (con-sequently, disabling the optimization) without risking the correctness of thetranslation procedure. For example, the effort spent in recursive invocationsof the translation procedure for formulas that do not occur as node subfor-mulas of ϕ′ could be reduced by specifying a bound for the node size (orother syntactic measure, such as the number of temporal operators) of LTLformulas for which to invoke the translation procedure recursively. Similarly,the amount of work needed for building nondeterministic automata for lan-guage emptiness tests could be controlled by limiting the maximum numberof states of the underlying nondeterministic automaton to generate in thetranslation, disabling the language emptiness tests if this bound is exceededduring the translation. Instead of applying the universal subset construction,the language emptiness checks could also be approximated by syntactic tech-niques (Sect. 4.5.1) to try to detect the unsatisfiability of a conjunction ofLTL formulas corresponding to a set of alternating automata. Additionally,caching the results of the emptiness checks for subsets of the states of thealternating automaton A would allow the explicit construction of a nonde-terministic automaton to be avoided in some cases for other subsets of statesof the automaton: for example, if

⋂q∈QLfin(A

q) = ∅ is known to hold for asubset Q of states of A, then obviously

⋂q∈Q′ Lfin(A

q) = ∅ holds also for allsets Q′ of which Q is a subset; conversely, if

⋂q∈QLfin(A

q) 6= ∅ holds, then⋂q∈Q′ Lfin(A

q) 6= ∅ holds for all subsets Q′ ⊆ Q.

184 7. A HIGH-LEVEL REFINED TRANSLATION PROCEDURE

8 LANGUAGE EMPTINESS CHECKING FOR NONDETERMINIS-TIC AUTOMATA

Checking for the emptiness of the language recognized by a nondeterminis-tic automaton working in inf- or fin-acceptance mode can be reduced to aquestion on repeated reachability in automata (see, for example, [Vardi andWolper 1994]). Therefore, the emptiness checking problem can be solvedby using basic graph algorithms to decide the existence of cycles satisfyingcertain acceptance constraints. In particular, Tarjan’s algorithm for findingthe maximal strongly connected components of a directed graph in lineartime in the number of nodes and edges in the graph using depth-first search[Tarjan 1971, 1972] has been found to be easily and efficiently adaptable tolanguage emptiness checking for nondeterministic automata working in inf-or fin-acceptance mode using one [Geldenhuys and Valmari 2004; Schwoonand Esparza 2005] or more [Couvreur 1999; Hammer et al. 2005; Couvreuret al. 2005; Geldenhuys and Valmari 2005] acceptance conditions. Becausethe algorithms can be combined with the on-the-fly construction of a non-deterministic automaton, they are often able to detect language nonempti-ness without constructing the automaton in full. This on-the-fly detection oflanguage nonemptiness is useful especially in model checking applications,where the nondeterministic automata obtained by composing system descrip-tions with automata expressing correctness specifications (built, for example,from LTL formulas) are often very large due to state space explosion.

The single most critical resource consumed by an emptiness checkingalgorithm based on a search in the state space of an automaton is usuallyconsidered to be the amount of randomly accessed memory needed for dis-tinguishing already visited states from states that have not been explored inthe search, together with the additional memory used for implementing theactual language emptiness check on top of the search. For example, vari-ants of Tarjan’s algorithm commonly number the states of the automaton inthe order in which they are encountered during the search, associating eachstate with one or more integers whose maximum possible values depend onthe number of states in the automaton. Even though some variants of lan-guage emptiness checking algorithms try to discard as much information aspossible when it is not needed any longer in the search by maximizing theuse of stacks in place of hash tables for storing the information [Geldenhuysand Valmari 2004, 2005], the worst-case memory requirements of these algo-rithms still exceed those of the nested depth-first search (NDFS) algorithm ofCourcoubetis et al. [1991, 1992] and its many variants [Godefroid and Holz-mann 1993; Holzmann et al. 1997; Edelkamp et al. 2001, 2004; Brim et al.2001; Bošnacki 2002, 2003; Gastin et al. 2004; Tauriainen 2004, 2005, 2006;Schwoon and Esparza 2005; Couvreur et al. 2005]. Instead of analyzing thestrongly connected components of an automaton, these algorithms try to de-tect the nonemptiness of the language of the automaton via the reductionof language nonemptiness to repeated reachability. However, the worst-casenumber of passes of the state space of the automaton required by these algo-rithms depends on the number of acceptance conditions in the automaton.It is therefore not surprising that variants of Tarjan’s algorithm, for which the

8. LANGUAGE EMPTINESS CHECKING FOR NONDETERMINISTIC AUTOMATA 185

number of passes is independent of the number of acceptance conditions,outperform NDFS-based ones as regards the number of states (re-)exploredin the search [Schwoon and Esparza 2005; Couvreur et al. 2005].

In addition to using multiple passes of the state space, most known variantsof the basic nested depth-first search algorithm are not directly applicableto automata with more than one acceptance condition: the automata firstneed to be degeneralized to replace the multiple acceptance conditions witha single one [Emerson and Sistla 1984a,b; Courcoubetis et al. 1991, 1992;Gastin and Oddoux 2001; Giannakopoulou and Lerda 2002]. Although asimple operation in a theoretical sense, degeneralization may neverthelessincrease the number of states in the automaton by a factor that is propor-tional to the number of acceptance conditions. Because the increase in thenumber of states cannot be avoided in the general case, the transformationmay thus work against any memory savings gained from the use of a specialemptiness checking algorithm. Other advantages of direct emptiness check-ing algorithms for automata with multiple acceptance conditions have pre-viously been pointed out in the context of verification under simple liveness[Aggarwal et al. 1990] (or weak fairness) assumptions by Couvreur [1999],who proposed an on-the-fly variant of Tarjan’s algorithm [Tarjan 1971, 1972]for checking the emptiness of languages recognized by automata with multi-ple acceptance conditions, and Bošnacki [2003], who studied combining thenested depth-first search with fairness and symmetry reduction.

In this chapter, we present a variant of the basic nested depth-first searchemptiness checking algorithm of [Courcoubetis et al. 1991, 1992], combin-ing material from previous work by the author in [Tauriainen 2004, 2005,2006]. This variant is designed to work directly on automata with multipleacceptance conditions and thus avoids the need for degeneralization. In-stead of using automata working in fin-acceptance mode, we switch our fo-cus to automata working in inf-acceptance mode to make our algorithm di-rectly substitutable for other constructions known from the literature. Whendealing with nondeterministic automata obtained from self-loop alternatingautomata working in fin-acceptance mode, the simple correspondence be-tween the acceptance modes allows the inversion of the acceptance mode tobe combined, for example, with the nondeterminization of self-loop alternat-ing automata (which can by itself be embedded into the language emptinesschecking algorithm [Hammer et al. 2005]).

Although the algorithm presented in this chapter could be used to im-plement language emptiness checks in the high-level translation procedurefor translating LTL formulas into self-loop alternating automata (Ch. 7), thealgorithm is geared more towards model checking (variants of Tarjan’s al-gorithm work faster, and they are easily adaptable to answer the languageemptiness question for all subautomata of a nondeterministic automaton inthe same pass of the automaton’s state space).

8.1 TERMINOLOGY

In this section we briefly introduce additional terminology which we shalluse in the analysis of nondeterministic automata working in inf-acceptance

186 8. LANGUAGE EMPTINESS CHECKING FOR NONDETERMINISTIC AUTOMATA

mode.Let A = 〈Σ, Q,∆, qI ,F〉 be a nondeterministic automaton, and let

(ti)0≤i<n ∈ ∆n (for some 0 ≤ n ≤ ω) be a chain of transitions in A. Wesay that the chain (ti)0≤i<n fulfills the acceptance condition f ∈ F iff thereexists an index 0 ≤ i < n such that the transition ti is an f -transition of A.

Because every transition of A has exactly one target state, it is easy to seethat every nonempty chain of transitions in A determines a unique path inA. Thus we say that a nonempty chain of transitions visits a state q ∈ Q if thepath corresponding to it does; similarly, we may consider a state q′ ∈ Q to bereachable from another state q ∈ Q via a nonempty chain of transitions if q′

is reachable from q via the path that corresponds to the chain of transitions,and we may call a finite nonempty chain of transitions a cycle if the pathdetermined by the chain is a cycle of A.

It is easy to see that every infinite chain of transitions with nonemptyguards that begins with an initial transition of A defines a run of A on someinput and vice versa. Therefore, because ∆ is finite, it follows that A hasan inf-accepting run on some input w ∈ Σω (that is, Linf(A) 6= ∅ holds)iff A contains an accepting cycle, i.e., a cycle (of transitions with nonemptyguards) which fulfills all acceptance conditions f ∈ F and visits a state thatis reachable from the initial state qI of the automaton.

Finally, a maximal strongly connected component of A is a maximal sub-set C ⊆ Q∪∆ such that for all q, q′ ∈ C∩Q, there exists a path from q to q′ inA that corresponds to a (possibly empty) chain of transitions with nonemptyguards, and for all t =

⟨q,Γ, F, {q′}

⟩∈ C ∩ ∆, Γ 6= ∅ and q, q′ ∈ C hold.

It is straightforward to check that every accepting cycle of A is contained ina maximal strongly connected component of A that contains an f -transitionfor all f ∈ F .

8.2 DEGENERALIZATION

It is well-known that nondeterministic automata with more than one accep-tance condition are not more expressive than automata with a single ac-ceptance condition, and there are effective degeneralization constructionsfor replacing the acceptance conditions in a nondeterministic automatonwith a single condition. These constructions [Emerson and Sistla 1984a,b;Courcoubetis et al. 1991, 1992] can be seen either as variants of the “flag-construction” of Choueka [1974] for defining a nondeterministic ω-automa-ton for the set intersection of the languages recognized by a collection ofnondeterministic ω-automata, or as procedures that achieve their goal bycombining automata with special “degeneralizer” automata [Couvreur 1999;Giannakopoulou and Lerda 2002].

It is straightforward to adapt, for example, the construction proposed byCourcoubetis et al. [1991, 1992] (designed for automata with state-basedacceptance) to automata with transition-based acceptance. Intuitively, theconstruction works by taking as many copies of the automaton as there areacceptance conditions, and then connecting the copies together into an au-tomaton in which every finite chain of transitions that begins and ends withtransitions fulfilling the acceptance condition of the automaton corresponds


to a chain that fulfills all acceptance conditions in the original automaton(and vice versa). Therefore, any infinite chain of transitions satisfying theinf-acceptance condition in one of the automata corresponds to a similarchain in the other automaton.

Formally, the construction transforms a nondeterministic automaton A =〈Σ, Q,∆, qI ,F〉 with state set Q = {q1, q2, . . . , qn} (where 1 ≤ n < ω andqI = q1) and a nonempty set of acceptance conditions F = {f1, f2, . . . , fm}(1 ≤ m < ω) into a nondeterministic automaton A′ =

⟨Σ, Q′,∆′, q′I , {f}

⟩,

where

Q′ def= {q(i,j)}

i=n,j=mi=1,j=1 ,

∆′ def=

⋃mk=1

({⟨q(i,k),Γ, ∅, {q(j,k)}

⟩ ⟨qi,Γ, F, {qj}

⟩∈ ∆, fk /∈ F

}

∪{⟨q(i,k),Γ, F (i), {q(j,1+(k mod m))}

⟩ ⟨qi,Γ, F, {qj}

⟩∈ ∆,

fk ∈ F})

,

q′Idef= q(1,k), and

F (i)def=

{{f} if i = ` holds for some fixed 1 ≤ ` ≤ m∅ otherwise.

(If F = ∅ holds, we can define A′ def=

⟨Σ, Q,∆′, qI , {f}

⟩, where ∆′ def

={⟨q,Γ, {f}, {q′}

⟩ ⟨q,Γ, ∅, {q′}

⟩∈ ∆

}.)

When applied to an automaton A with n states and 1 ≤ m < ω ac-ceptance conditions, the transformation yields an automaton A′ with nmstates and one acceptance condition such that the automata A′ and A inf-recognize the same language [Emerson and Sistla 1984a,b; Courcoubetiset al. 1991, 1992]. The construction gives an O(nm) worst-case lower boundfor the number of states in an automaton obtained via degeneralization. Asshown below, this lower bound is optimal, i.e., the linear blow-up in thenumber of states in the automaton cannot be avoided in the general case. (Al-though this result is intuitively very obvious, the optimality of the construc-tion is usually not considered in literature on degeneralization algorithms[Emerson and Sistla 1984a,b; Courcoubetis et al. 1991, 1992; Clarke et al.1999] or their optimizations [Gastin and Oddoux 2001; Giannakopoulou andLerda 2002]. We therefore repeat an example from [Tauriainen 2004, 2006]here for illustration.)

Proposition 8.2.1 A nondeterministic automaton built by degeneralizing anondeterministic automaton with 1 ≤ n < ω states and 1 ≤ m < ω accep-tance conditions (and an alphabet of at least m+1 symbols) needs nm statesto recognize the language of the original automaton in the worst case.

Proof: Let 2 ≤ n < ω be an integer, and let Σm denote a finite alphabetwith 1 ≤ m < ω distinct symbols σ1, . . . , σm together with an extra symbol# different from each σi. The parameters n and m can be used to define aset of infinite words Ln,m over Σm characterized by the ω-regular expression

Ln,m =((

(∪mi=1i6=1

σi)#n−1

)∗σ1#

n−1

((∪mi=1

i6=2

σi)#n−1

)∗σ2#

n−1

· · ·((∪mi=1

i6=m

σi)#n−1

)∗σm#n−1

)ω,


{#}

{#}

{σ1}{σ2}

{σ3}

q3,31 q3,32 q3,33

{#}

{#}

{#}

{#}

{#}

{#} {σ1}{σ1}

{σ1}{σ2}

{σ2}

{σ2}

{σ3}

{σ3}

{σ3}

q3,3(1,1)

q3,3(2,1)

q3,3(3,1) q3,3(1,2)

q3,3(2,2)

q3,3(3,2) q3,3(1,3)

q3,3(2,3)

q3,3(3,3)

(a) (b)

Fig. 8.1: Examples of automata used in the proof of Proposition 8.2.1. (a) Theautomaton A3,3. (b) Automaton obtained from A3,3 via degeneralization

i.e., the set of infinite words built from n-symbol “blocks” over Σm, each ofwhich consists of one of the symbols σi (1 ≤ i ≤ m) followed by exactly n−1#’s, with the additional constraint that each σi should occur in the resultingword infinitely many times.

The language Ln,m can be recognized by the n-state nondeterministicautomaton An,m = 〈Σm, Qn,m,∆n,m, q

n,mI ,Fn,m〉, where

Qn,mdef= {qn,m1 , qn,m2 , qn,m3 , . . . , qn,mn },

∆n,mdef=

(⋃m

i=1

{⟨qn,m1 , {σi}, {f

nm}, {q

n,m2 }

⟩})

∪(⋃n

i=2

{⟨qn,mi , {#}, ∅, {qn,m(i mod n)+1}

⟩}),

qn,mIdef= qn,m1 , and

Fn,mdef= {fn1 , f

n2 , . . . , f

nm}.

As a concrete example, see Fig. 8.1 (a) for an illustration of the automatonA3,3.

By the above construction, there exists an automaton with nm states anda single acceptance condition such that the automaton recognizes the lan-guage Ln,m. Figure 8.1 (b) shows the result when the construction is appliedto the automaton A3,3. We argue that the construction is optimal by show-ing that any automaton that inf-recognizes the language Ln,m using only oneacceptance condition always has at least nm states.

Let A =⟨Σm, Q,∆, qI , {f}

⟩be an automaton that inf-recognizes Ln,m

using only one acceptance condition f , and let w ∈ Ln,m. Thus, A inf-accepts w, and there exists a uniform inf-accepting run G of A on w thatconsists of a unique infinite branch β ∈ B(G) such that inf(β) = {f} holds.Because ∆ is finite, β contains infinitely many edges labeled with a transitiont =

⟨q,Γ, F, {q′}

⟩∈ ∆ such that f ∈ F holds. Let u be a finite prefix of w

such that the edge beginning at level |u| of G is labeled with the transition t(with source state q). Because t occurs infinitely many times inG, there existsa chain of transitions (with nonempty guards) beginning with the transition tthat corresponds to a cycle from q to itself in A.

Consider any shortest chain of transitions (with nonempty guards) thatbegins with the transition t and corresponds to a cycle from q to itself in


the automaton A. Let v be a word composed of symbols in the guards of thesuccessive transitions in the chain. It is easy to see that A inf-accepts the worduvω. Because A inf -recognizes the language Ln,m, it follows that uvω ∈ Ln,mholds. Hence each σi must occur at least once in v for all 1 ≤ i ≤ m. Inthe simplest case, each σi occurs in v exactly once, and v is of the form#kσρ(1)#

n−1σρ(2)#n−1 · · ·σρ(m)#

n−k−1 for some 0 ≤ k ≤ n − 1 and somepermutation ρ of {1, . . . , m}. Clearly, v has (n − 1)m + m = nm symbols.Because v was formed from a shortest chain of transitions (beginning withthe transition t) that corresponds to a cycle from q to itself, the source statesof the transitions in the chain are distinct. It follows that A has at least nmstates as argued. �

8.3 EMPTINESS CHECKING ALGORITHM

Let A = 〈Σ, Q,∆, qI ,F〉 be a nondeterministic automaton with a nonemptyset of acceptance conditions F = {f1, f2, . . . , fn} for some 1 ≤ n < ω. Theindices of the acceptance conditions induce an ordering between the con-ditions. Figure 8.2 represents the pseudocode of an algorithm that decideswhether A inf-recognizes the empty language or not by checking for the ex-istence of an accepting cycle in A. We present the algorithm in recursiveform, from which it is easy to point out the relevant details. (If F = ∅ holds,the emptiness of Linf(A) can be decided using a single depth-first search inthe automaton, because Linf(A) 6= ∅ holds in this case iff A contains a cyclethat visits a state reachable from the initial state qI of A. As a matter of fact, asingle search is sufficient also for weak nondeterministic automata [Schwoonand Esparza 2005].)

The TOP-LEVEL-SEARCH procedure implements a simple depth-firstsearch in the automaton. After processing a transition (line 7), a secondsearch is started from the transition at line 9 (in further discussion, the term“second search” refers to all operations caused by a call to the SECOND-

SEARCH procedure made at line 9). The purpose of this search is to prop-agate information about the reachability of states via chains of transitionswhich fulfill certain acceptance conditions. Each second search is restrictedto states that have been found in the top-level search.

The algorithm uses the following (global) data structures:

path_stack : This stack collects the states entered in the top-level search butfrom which the search has not yet backtracked. This stack is used onlyto facilitate the correctness proof in Sect. 8.3.2 and thus all referencesto it (lines 3 and 12) could be removed from the pseudocode.

visited : States found in the top-level search. When a state is added to thisset, it will never be removed.

count : A lookup table associating each state of the automaton with an in-dex of an acceptance condition. Intuitively, if count [q] = c holds forsome q ∈ Q and 1 ≤ c ≤ n, then, for every acceptance conditionf1, f2, . . . , fc ∈ F , the automaton contains a nonempty chain of tran-sitions (with nonempty guards) that corresponds to a path ending in


Initialize: A := 〈Σ, Q,∆, qI ,F〉: Nondeterministic automaton with states Q ={q1, q2, . . . , q|Q|} and 1 ≤ n < ω acceptance conditions F = {f1,f2, . . . , fn};

path_stack := [empty stack];visited := ∅;count := [q1 7→ 0, . . . , q|Q| 7→ 0];depth := 1;condition_stack := [stack initialized with the element (0, 0)].

1 TOP-LEVEL-SEARCH(q ∈ Q)

2 begin

3 push q on path_stack ;

4 visited := visited ∪ {q};

5 for all t =⟨q,Γ, F, {q′}

⟩∈ ∆ with Γ 6= ∅ do

6 begin

7 if (q′ /∈ visited) then TOP-LEVEL-SEARCH(q′);8 Iseen :=

{1, 2, . . . , count [q]

};

9 SECOND-SEARCH(t);10 if (count [q] = |F|) then report “Linf(A) 6= ∅”;

11 end;

12 pop q off path_stack ;

13 end

14 SECOND-SEARCH(⟨q,Γ, F, {q′}

⟩∈ ∆)

15 begin

16 Iunseen_fulfilled :={1 ≤ i ≤ |F| fi ∈ F

}\ Iseen;

17 c := max{0 ≤ i ≤ |F| j ∈ Iseen ∪ Iunseen_fulfilled for all 1 ≤ j ≤ i

};

18 if (c > count [q′]) then

19 begin

20 count [q′] := c;21 Iseen := Iseen ∪ Iunseen_fulfilled;

22 for all i ∈ Iunseen_fulfilled do push (i, depth) on condition_stack ;

23 depth := depth + 1;

24 for all t =⟨q′,Γ′, F ′, {q′′}

⟩∈ ∆ such that Γ′ 6= ∅ and q′′ ∈ visited do

25 SECOND-SEARCH(t);26 depth := depth − 1;

27 (i, d) := topmost element of condition_stack ;

28 while (d = depth) do

29 begin

30 Iseen := Iseen \ {i};

31 pop (i, d) off condition_stack ;

32 (i, d) := topmost element of condition_stack ;

33 end

34 end

35 end

Fig. 8.2: Nested depth-first search language emptiness checking algorithm for non-deterministic automata working in inf -acceptance mode using one or more ac-ceptance conditions. The emptiness check is started by calling the TOP-LEVEL-

SEARCH procedure with the initial state qI of the automaton as a parameter


the state q such that the chain fulfills the condition. For all q ∈ Q,count [q] will never decrease during the execution of the algorithm.

Iseen: A set of indices of acceptance conditions “seen” in a chain of transi-tions (beginning with the transition from which a second search wasstarted at line 9), the path corresponding to which ends in the statereferred to by the program variable q in a nested recursive call of theSECOND-SEARCH procedure. The conditions “seen” in this chain in-clude also the conditions that were associated with the state from whichthe search was started (line 8). In every nested call to the SECOND-

SEARCH procedure, the algorithm first collects the indices of all previ-ously “unseen” acceptance conditions that are included in the accep-tance conditions of the transition given as a parameter for the proce-dure (line 16). These indices are then added to the Iseen set later atline 21 before any nested recursive calls to the procedure.

depth: An integer variable representing the number of transitions in a chain(beginning with the transition from which a second search was started)that corresponds to a path that ends in the state referred to by the pro-gram variable q′ in a nested recursive call of the SECOND-SEARCH

procedure.

condition_stack : A stack used for recording a (partial) history of changesmade to the Iseen set during a second search in the automaton. Tosimplify the presentation of the SECOND-SEARCH procedure, the stackis initialized with a sentinel element that will never be removed fromthe stack (and thus the stack can never be empty at lines 27 or 32).

To simplify the presentation of the algorithm, the global variables depth andIseen could be modeled as parameters of the SECOND-SEARCH procedure(in which case also the variable condition_stack could be eliminated). How-ever, we treat these variables as globals to facilitate the analysis of the algo-rithm’s memory requirements.

The second search proceeds from a state q to its successor q′ only if theconditions “seen” in a chain of transitions corresponding to a path that endsin the state q′ include the next condition (or possibly several consecutive con-ditions in the acceptance condition ordering), the index of which is not yetrecorded in the value of count [q′]. At line 17, the algorithm finds the maxi-mal index of an acceptance condition which has been “seen” along with allof its predecessors (in the acceptance condition ordering) during the secondsearch; whether to proceed to a successor of q is then decided at line 18.

Example 8.3.1 We illustrate the behavior of the emptiness checking algo-rithm with a simple example. Consider the nondeterministic automatonshown in Fig. 8.3 (a) (for simplicity, we assume that all transitions in theautomaton have nonempty guards and omit them from the figure becausethe behavior of the language emptiness checking algorithm does not dependon the contents of such guards). This automaton has eight states and threeacceptance conditions f1, f2 and f3 represented in the figure by •, ◦ and•, respectively. It is easy to see that the automaton consists of a single max-imal strongly connected component, and thus the language inf-recognized


q1

q2

q3

q4

q5

q6

q7

q8

0

1

1

1

0

0

0

0

q1

q2

q3

q4

q5

q6

q7

q800

0

0

1

1

1 0

q1

q2

q3

q4

q6

q7

q8

q5

(a) (b) (c)

PSfrag 2

2 2

2

2

2

2

0

q1

q2

q3

q4

q6

q7

q8

q5 0

2

2 2

2

2

2

2

q1

q2

q3

q4

q5

q6

q7

q8

3

3

3

3

3

3

3

3

q1

q2

q3

q4

q5

q6

q7

q8

(d) (e) (f)

Fig. 8.3: Example on running the emptiness checking algorithm on an automaton.(a) An automaton with three acceptance conditions and a nonempty language; (b)–(f) State of the algorithm when the top-level search is about to backtrack from thestates q4, q6, q2, q5 and q1, respectively

by the automaton is not empty. We briefly describe the steps the algorithmtakes to verify this property. (In the following, we assume that the algorithmexamines the transitions starting from a state of the automaton in the orderdetermined by the indices of their target states. Thus, for example, in stateq8, the algorithm first examines the transition with target state q1, followed bythe transitions with target states q6 and q7, respectively.)

Starting from the state q1, the top-level search first explores the states q2,q3 and q4. Before the search backtracks from the state q4, a second search isstarted from each transition with source state q4. Because the transition withtarget state q2 is an f1- (•-)transition, the second search starting from thistransition explores the states q2, q3 and q4 and updates count [q2], count [q3]and count [q4] to 1. The search will not proceed from q2 to q7, however, be-cause the top-level search did not visit the state q7 before this second search.Figure 8.3 (b) represents the state of the algorithm when the top-level searchis about to backtrack from the state q4 (the contents of the count table is rep-resented by numbers in the states; the shaded states represent the contents ofthe top-level search stack).

The top-level search now backtracks from q4 and q3 (without making fur-ther changes to the count table in second searches), and then explores thestates q7, q8 and q6. Even though the transition from q6 to the state q4 is an f2-(◦-)transition, the second search started from this transition will not proceedto the state q4, because count [q6] < 1 holds at the beginning of this search(and when the top-level search is about to backtrack from the state q6, seeFig. 8.3 (c)). The contents of this table remain unchanged until a secondsearch is started from the transition with source state q2 and target state q7.


Because count [q2] = 1 > 0 = count [q7] holds at the beginning of the sec-ond search from the transition between these two states, the second searchwill update count [q7], count [q8], count [q1] and count [q6] to 1. Furthermore,because the transition from q6 to q4 is an f2- (◦-)transition, the search willrevisit all descendants of q6 explored in the top-level search, updating thecount table as shown in Fig. 8.3 (d), which represents the state of the algo-rithm when the top-level search backtracks from the state q2.

After backtracking from the state q2, the top-level search enters the lastunvisited state q5 of the automaton. The algorithm backtracks from this statewithout making any changes to the count table in the second search startedfrom the transition between q5 and q6; see Fig. 8.3 (e).

A second search is started once more from the transition from q1 to q5.The state of the algorithm after this second search is shown in Fig. 8.3 (f).Because q1 is still on the top-level search stack and count [q1] = 3 holds at theend of this search, the algorithm reports that the language inf-recognized bythe automaton is not empty. �

8.3.1 Resource Requirements

Clearly, the count table associates each state of the automaton with an inte-ger that will never exceed the number of acceptance conditions |F| in theautomaton. Because entering a state q′ during a second search (line 19) im-plies incrementing the value of count [q′], it is easy to see that the algorithmneeds at most |F|+1 passes of the state space of the automaton. It is also easyto see that the top-level search stack will contain at most |Q| elements at anytime during the search. The implicit recursion stack used for nested calls ofthe SECOND-SEARCH procedure will grow to contain at most |Q| · |F| + 1elements in the worst case. If the count table is represented as a hash tableindexed with state descriptors, each of which consumes s bits of memory,the table has to store |Q| ·

(s+ dlog2(|F| + 1)e

)bits in the worst case. (The

visited set can be combined with this table by inserting states to the table asthey are entered in the top-level search.)

The Iseen set can be represented as a bit vector with |F| bits. Because el-ements are added to condition_stack only when there are conditions whoseindices are still missing from the Iseen set, it is easy to see that this stack willnever contain more than |F| + 1 elements. Note that this bound would notbe as obvious if the depth and Iseen variables had been modeled as parame-ters of the SECOND-SEARCH procedure: in this case the information storedin condition_stack would be implicit in the activation records of nested re-cursive procedure calls (and would amount to |Q| · |F|+1 instead of |F|+1elements in the worst case). It is straightforward to check that the integerdepth, the Iseen set and the elements in the condition_stack stack needO

(|F| log2(|Q| · |F|)

)bits for their representation in the worst case.

Additionally, the search procedures need (in a standard way) to keep trackof information on how to generate the next transition starting from a state inthe loops at lines 5–11 and 24–25 such that the information is preserved overnested recursive calls of the procedures.

Table 8.1 lists worst-case resource requirements (number of bits consumedby a hash table used to implement a search and the number of states visited


Table 8.1: Upper bounds for complexity measures for checking the language inf-recognized by a nondeterministic with n states and 1 ≤ m < ω acceptance condi-tions for emptiness; sg and sd are the numbers of bits required for representing statedescriptors in the original and degeneralized automaton, respectively (sg ≤ sd).

Emptiness checking strategyNumber ofentries inhash table

Memory required for hash table(bits)

Number ofstates visited

explicit degeneralizationwith classic NDFS[Godefroid andHolzmann 1993]

nm nm(sd + 2) 2nm

classic NDFS withon-the-flydegeneralization[Bošnacki 2003]

n n(sg + 2m) 2nm

generalized nested search[Tauriainen 2004, 2006]

n n(sg +m) n(m+ 1)

generalized NDFS(Fig. 8.2; [Tauriainen2005])

n n(sg + dlog2(m+ 1)e

)n(m+ 1)

in the search in the worst case) for several language emptiness checking al-gorithms based on the nested depth-first search algorithm of Courcoubetiset al. [1991, 1992] when applied to nondeterministic automata working ininf-acceptance mode using multiple acceptance conditions. (For simple ex-perimental comparison of generalized search against nongeneralized algo-rithms, see [Tauriainen 2006].)

The original nested depth-first search algorithm of Courcoubetis et al.[1991, 1992] for nondeterministic automata with a single acceptance condi-tion needs two passes of the state space of the automaton in the worst caseto decide whether the automaton inf -recognizes the empty language (for adescription of the basic nested depth-first search algorithm, see, for exam-ple, the textbook [Clarke et al. 1999]). Godefroid and Holzmann [1993]suggested an implementation of the classic algorithm that stores two bits ofinformation per each state of the automaton in a hash table indexed withstate descriptors of the automaton to keep track of the two passes in which astate may have been visited. The worst-case number of bits needed for thehash table and number of states visited by this algorithm follow directly fromthe result that degeneralizing an automaton with n states and 1 ≤ m < ω ac-ceptance conditions may result in an m-fold increase in the number of statesof the automaton in the worst case (Proposition 8.2.1). As shown by Bošnacki[2003], combining degeneralization with the search algorithm (called “on-the-fly degeneralization” in Table 8.1) makes it possible to implement thesearch using less memory by observing that the states in the degeneralizedautomaton are copies of states of the original automaton (in which case thetwo additional bits associated with each of the m different copies of a statecan be stored into the same entry of the hash table).


The worst-case memory requirements can be improved further by bypass-ing degeneralization, in which case also the worst-case number of states vis-ited during the search can be reduced [Tauriainen 2004, 2006]; ordering theacceptance conditions allows for a further reduction in the number of bitsthat need to be stored in the search hash table [Tauriainen 2005]. The algo-rithm in Fig. 8.2 corresponds to this variant of the generalized nested searchalgorithm from [Tauriainen 2004, 2006] enhanced with an optimization sug-gested by Couvreur et al. [2005] to speed up the detection of language non-emptiness by initiating second searches immediately after processing a transi-tion at line 7 (instead of waiting until all transitions starting from a state havebeen processed as done in the classic NDFS algorithm).

8.3.2 Correctness of the Algorithm

In this section we prove the correctness of the algorithm.Let A = 〈Σ, Q,∆, qI ,F〉 (F 6= ∅) be a nondeterministic automaton

(working in inf-acceptance mode) given as input for the algorithm. It iseasy to see that the algorithm will start a second search at line 9 from everytransition (with a nonempty guard), the source state of which is either theinitial state qI of the automaton, or a state reachable from qI via a chain oftransitions with nonempty guards, and the second search is started exactlyonce from each of these transitions. Therefore the transitions are processedin some well-defined order: we write t ≤ t′ (t, t′ ∈ ∆) to indicate that thesecond search from t is started at line 9 before the second search from t′

(or t = t′). (Other inequalities between transitions are defined in the ob-vious way.) Additionally, we write visited(t) and path_stack(t) to refer tothe contents of the visited set and the top-level search stack (respectively) atthe beginning of a second search from the transition t; note that these datastructures remain unchanged in all recursive calls to the SECOND-SEARCH

procedure. We also write path_stack(q) to denote the contents of the top-level search stack at line 13 of the algorithm when the top-level search isabout to backtrack from a state q ∈ Q.

It is easy to check (by induction on the number of nested recursive calls ofthe SECOND-SEARCH procedure) that, if depth = d and Iseen = I hold foran integer d and a set of indices of acceptance conditions I ⊆

{1, 2, . . . , |F|

}

when the algorithm is about to enter the loop at line 24, then depth and Iseen

will have these same values at the beginning of each iteration of the loop.

SoundnessIn this section we prove the soundness of the algorithm (with respect tochecking for the nonemptiness of a language inf-accepted by an automaton).We first formalize a simple fact about states in the top-level search stack.

Lemma 8.3.2 Let q and q′ be states in path_stack such that q = q′ holds,or q was pushed before q′ on the stack. There exists a path from q to q′ in Asuch that the path corresponds to a (possibly empty) chain of transitions withnonempty guards in A.

Proof: The result holds trivially if q = q′. Otherwise q′ was pushed on thestack in a recursive call of the top-level search procedure (started at line 7


when q was on top of the stack), and it follows by induction that there exists apath from q to q′ in the automaton such that this path corresponds to a chainof transitions with nonempty guards. �

The soundness of the algorithm is based on the observation that every statein the top-level search stack known to be reachable via a chain of transitions(with nonempty guards) that fulfills an acceptance condition is actually in acycle that fulfills the condition.

Lemma 8.3.3 Let t ∈ ∆ be a transition from which the algorithm starts asecond search at line 9. If count [q] ≥ n holds for some q ∈ path_stack(t)and 1 ≤ n ≤ |F| during a second search started at line 9 from the transitiont, then the automaton contains a cycle of transitions with nonempty guardswhich fulfills the acceptance condition fn and visits the state q.

Proof: We claim that there exists an integer 1 ≤ k < ω, states q0, q1, . . . , qk ∈Q (with q0 = q) and transitions t0, t1, . . . , tk ∈ ∆ such that for all 0 ≤ i < k,qi and qi+1 are reachable from each other in the automaton via nonemptychains of transitions with nonempty guards, ti ≥ ti+1 holds for all 0 ≤ i <k, and qk−1 is reachable from qk via a chain of transitions (with nonemptyguards) which fulfills the acceptance condition fn. Clearly, if such sequencesexist, then q0 (= q) is a source state of a transition in a cycle of transitionswith nonempty guards which fulfills the acceptance condition fn, and theresult follows.

We prove the claim by constructing sequences with the required proper-

ties. Let q0def= q, and let t0

def= t. Because count [q0] ≥ n > 0 holds during

the second search from t0, there exists a transition t1 ∈ ∆, t1 ≤ t0, such thatcount [q0] was updated for the first time to a value greater than or equal to nduring a second search started at line 9 from the transition t1. Let q1 ∈ Q bethe source state of t1.

Assume that qi and ti have been defined for some 1 ≤ i < ω such thatcount [qi−1] is updated for the first time to a value greater than or equal ton during a second search started at line 9 from the transition ti ≤ ti−1. Ifcount [qi] ≥ n > 0 already holds at the beginning of this second search, thereexists a transition t′ ∈ ∆, t′ < ti, such that count [qi] was updated for the firsttime to a value greater than or equal to n during a second search started from

the transition t′ (with source state q′ ∈ Q). In this case we let qi+1def= q′ and

ti+1def= t′ and continue the inductive construction.

By repeating the construction, we obtain a sequence of states q0, q1, q2, . . .and a sequence of transitions t0 ≥ t1 > t2 > · · · such that for all i =0, 1, 2, . . ., count [qi] was updated for the first time to a value greater than orequal to n in a second search started from the transition ti+1 with sourcestate qi+1. Because the automaton is finite, the sequence of transitions isfinite, and because count [q′] = 0 initially holds for all q′ ∈ Q, there exists anindex k such that count [qk] < n holds at the beginning of a second searchfrom the transition tk.

Let 0 ≤ i < k. Because count [qi] is updated for the first time to a valuegreater than or equal to n during a second search started from the transitionti+1 ≤ ti, qi is reachable from the source state qi+1 of ti+1 via a nonempty


chain of transitions with nonempty guards, and qi ∈ visited(ti+1) holds.On the other hand, because ti+1 ≤ ti holds, the top-level search could nothave backtracked from the state qi before backtracking from qi+1, and thusqi ∈ path_stack(ti+1) holds. Because qi+1 is on top of path_stack duringthe second search from ti+1, it follows by Lemma 8.3.2 that the automatoncontains a path from qi to qi+1 that corresponds to a (possibly empty) chainof transitions with nonempty guards. It follows that the states qi and qi+1 arereachable from each other in the automaton via nonempty chains of transi-tions whose guards are nonempty.

Because count [qk] < n holds at the beginning of the second search fromtk, n /∈ Iseen holds at line 16 when the second search procedure is called atline 9 with tk as a parameter. Because count [qk−1] is nevertheless updatedto a value greater than or equal to n during the second search from tk (atline 20), it is easy to see that n must be inserted to Iunseen_fulfilled during thesearch, and thus the second search from tk must reach qk−1 via a chain oftransitions (with nonempty guards) which fulfills the acceptance conditionfn. Therefore qk−1 and qk are source states of transitions in a cycle thatfulfills the condition fn, and the result follows. �

It is now easy to prove the soundness of the algorithm using Lemma 8.3.3.

Proposition 8.3.4 Let A = 〈Σ, Q,∆, qI ,F〉 (F 6= ∅) be the nondetermin-istic automaton (working in inf-acceptance mode) given as input for the al-gorithm. Let t ∈ ∆ be a transition from which the algorithm starts a sec-ond search at line 9. If count [q] = |F| holds during this search for a stateq ∈ path_stack(t), then A contains an accepting cycle. In particular, thisholds if the algorithm reports that A does not inf-recognize the empty lan-guage.

Proof: Because the top-level search is started from the initial state qI of theautomaton, qI ∈ path_stack(t) certainly holds, and there exists a path fromqI to q in A (corresponding to a chain of transitions, the guards of which arenonempty) by Lemma 8.3.2. Because count [q] ≥ i holds for all 1 ≤ i ≤ |F|,it follows by Lemma 8.3.3 that for all 1 ≤ i ≤ |F|, the automaton containsa cycle (of transitions with nonempty guards) which fulfills the acceptancecondition fi and visits the state q. Because all of these cycles visit the state q,they can be merged together to obtain an accepting cycle for the automaton.The soundness of the algorithm now follows from the condition at line 10of the top-level search procedure since the program variable q refers to thetopmost state of path_stack at this point. �

CompletenessWe now turn to the completeness of the algorithm. Again, we start by listingseveral basic facts about the behavior of the algorithm for future reference.

Lemma 8.3.5 Let t =⟨q,Γ, F, {q′}

⟩∈ ∆ be a transition from which the

algorithm starts a second search at line 9. Then, q′ ∈ visited(t) holds.

Proof: The result follows from the condition at line 7 of the algorithm: ifq′ /∈ visited holds at this point, the algorithm calls the TOP-LEVEL-SEARCH

procedure recursively for the state q′, and q′ is added to the visited set atline 4 of the algorithm before a second search from the transition t. �


Lemma 8.3.6 Let t ∈ ∆ be a transition from which the algorithm starts asecond search at line 9. If there exists a state q ∈ visited(t) and a transitiont′ =

⟨q,Γ, F, {q′}

⟩∈ ∆ such that Γ 6= ∅ and q′ ∈ Q \ visited(t) hold, then

q ∈ path_stack(t) holds.

Proof: Let q be a state satisfying the assumptions. Because q ∈ visited(t)holds, the top-level search has entered q. If the search had also backtrackedfrom q, then the algorithm would have reached line 12 with q on top ofthe top-level search stack. Therefore the algorithm would have initiated asecond search from all transitions (with a nonempty guard) having q as itssource state, in particular, from the transition t′. But then q′ ∈ visited wouldhold at the beginning of the search from t by Lemma 8.3.5, contrary to theassumption. Therefore, the top-level search has not yet backtracked from q,and q ∈ path_stack(t) holds. �

Lemma 8.3.7 Let⟨q,Γ, F, {q′}

⟩∈ ∆ be a transition for which the algorithm

calls the second search procedure at line 9 or 25. If c ≥ n holds at line 18for some 0 ≤ n ≤ |F| at the beginning of the call, then count [q′] ≥ n holdswhen this call returns.

Proof: If count [q′] < n holds at line 18, count [q′] is updated to the value c(≥ n) at line 20 of the algorithm, and the result follows from the fact thatcount [q′] never decreases during the execution of the algorithm. �

Lemma 8.3.8 Assume that the algorithm reaches line 20 during a secondsearch started from a transition t ∈ ∆ such that c ≥ n holds for some 1 ≤n ≤ |F|, and the program variable q′ refers to a state q ∈ Q at this point.The second search procedure will be called recursively for every transition(with a nonempty guard) having q as its source state such that c ≥ n holds atline 18 at the beginning of each call.

Proof: The result holds trivially if q has no successors, or if all transitions

starting from q have an empty guard. Otherwise, let t′ =⟨q,Γ, F, {q′}

⟩be

a transition (with Γ 6= ∅) having q as its source state. It is easy to see fromline 20 that count [q] ≥ n will hold at the end of the second search from t.

Assume that q′ ∈ visited(t) holds. Denote by I the contents of the Iseen

set at the beginning of the first iteration of the loop at line 24 when theprogram variable q′ refers to the state q with c ≥ n. Because c ≥ n holds, it iseasy to see that {1, 2, . . . , n} ⊆ I holds at this point. Because Iseen = I holdsat the beginning of each iteration of the loop (and therefore, in particular, atthe beginning of the recursive call of the second search procedure for thetransition t′), line 17 guarantees that c ≥ n holds at line 18 in the beginningof this call.

If q′ /∈ visited(t) holds, the algorithm has not yet started a second searchfrom the transition t′ (Lemma 8.3.5), and thus t′ > t holds. Furthermore,q ∈ path_stack(t) holds by Lemma 8.3.6, i.e., the top-level search has notbacktracked from the state q before the second search from t. Clearly, a sec-ond search is started from the transition t′ before the top-level search back-tracks from q. Because count [q] ≥ n holds at the end of the second searchfrom t, it follows from the initialization of the Iseen set at line 8 that c ≥ n


will hold at line 18 when the second search is started from the transition t′ atline 9. �

In the following results, we shall refer to a maximal strongly connectedcomponent C ⊆ Q∪∆ that contains either the initial state of the automatonor a state reachable from the initial state of the automaton via a chain oftransitions with nonempty guards. Clearly, the top-level search will in thiscase explore all states in the component, and thus there exists a state q ∈C∩Q that is the first state of C pushed on the top-level search stack. Becausethe elements of this stack are accessed in “last in, first out” order, it is easy tosee that q is the last state of C from which the top-level search backtracks.

Our goal is to show that if the component C contains an accepting cycle,then there exists a state q ∈ C∩Q in the component (namely, the first state qof the component entered in the top-level search) for which count [q] = |F|holds when the top-level search is about to backtrack from the state q. Clearly,this implies that the algorithm will report that the language inf-recognizedby the automaton is not empty (at the latest) at line 10 with q on top ofpath_stack . (Because C contains an accepting cycle, C contains at least onetransition having a nonempty guard and q as its source state, and thus it iseasy to see that the algorithm will in fact reach line 10 with q on top of thetop-level search stack before the top-level search backtracks from q.)

More generally, we shall be interested in finding states q ∈ C ∩ Q forwhich count [q] ≥ n holds for some 1 ≤ n ≤ |F| when the top-level search isabout to backtrack from the state q at line 13. Given a path in the automaton(corresponding to a nonempty chain of transitions with nonempty guards),this property is guaranteed to hold for the last state q (in the path) for whichcount [q] ≥ n holds at the end of a second search started in the first state ofthe path unless the path ends in the state q.

Lemma 8.3.9 Let q0, q1, . . . , qk ∈ Q be the list of consecutive states in a path(corresponding to a nonempty chain of transitions with nonempty guards)from the state q0 to the state qk in the automaton for some 1 ≤ k < ω. As-sume that there exists a maximal index 0 ≤ ` ≤ k for which count [q`] ≥ nholds for some 1 ≤ n ≤ |F| at the end of a second search from a transitiont ∈ ∆ having q0 as its source state (line 10). If ` < k holds, then q` is astate for which count [q`] ≥ n already holds when the top-level search back-tracks from the state q`. Actually, in this case count [q`] ≥ n holds before thealgorithm starts a second search from any transition from q` to q`+1.

Proof: Because n ≥ 1 holds, there exists a transition t′ ∈ ∆, t′ ≤ t, suchthat the second search started from t′ reached line 20 of the algorithm suchthat the program variable q′ referred for the first time to the state q` withc ≥ n. Clearly, q` ∈ visited(t′) holds, and the top-level search had enteredq` at some point. By Lemma 8.3.8, the algorithm calls the second search pro-cedure recursively for every transition (with a nonempty guard) with sourcestate q` and target state q`+1 such that c ≥ n holds at line 18 at the beginningof this call. If q`+1 ∈ visited(t′) holds, such a call occurs during the secondsearch started from the transition t′. But then count [q`+1] ≥ n would holdat the end of the call by Lemma 8.3.7, and therefore also at the end of the


second search from t. This contradicts the maximality of `, however. It fol-lows that q`+1 /∈ visited(t′) holds, and by Lemma 8.3.6, q` ∈ path_stack(t′)holds. Thus the top-level search backtracks from the state q` after the sec-ond search from t′, and count [q`] ≥ n holds when this occurs. The secondclaim follows from Lemma 8.3.5: because q`+1 /∈ visited(t′) holds, no sec-ond search can have been started at line 9 from a transition with source stateq` and target state q`+1 before updating count [q`] to a value greater than orequal to n (in the second search from t′). �

Lemma 8.3.9 leads to the following result, which can then be used toshow that the reachability information (i.e., the knowledge on the reachabil-ity of states via chains of transitions that fulfill certain acceptance conditions)stored in the count table propagates towards the first state of the maximalstrongly connected component C entered in the top-level search.

Lemma 8.3.10 Let C be a maximal strongly connected component of theautomaton, and let q ∈ C ∩ Q be the first state of the component enteredin the top-level search. Let q ∈ C ∩ Q, q 6= q, be another state in thecomponent such that count [q] ≥ n holds for some 1 ≤ n ≤ |F| when thetop-level search is about to backtrack from the state q at line 13. There existsa state q′ ∈ C ∩ Q, q′ 6= q, such that the top-level search backtracks fromq′ after backtracking from q, and count [q′] ≥ n holds when this occurs atline 13.

Proof: Because q and q belong to the same maximal strongly connected com-ponent, but q 6= q holds, there exists a path (corresponding to a nonemptychain of transitions with nonempty guards) from q to q in the automaton.Clearly, all states in this path are contained in C. Let q0, q1, . . . , qk ∈ C ∩Q(1 ≤ k < ω, q0 = q, qk = q) be the list of consecutive states in this path.Because count [q0] ≥ n holds when the top-level search is about to backtrackfrom the state q0 at line 13, there exists a maximal index 0 ≤ ` ≤ k suchthat count [q`] ≥ n holds at this point. Clearly, count [q`] ≥ n holds alreadyat the end of a second search started at line 9 from the last transition t ∈ ∆(with source state q0 and a nonempty guard) which was processed in the loopbetween lines 5 and 11 (and such a transition exists because C contains apath from q0 to qk corresponding to a nonempty chain of transitions withnonempty guards).

If ` = k holds, the result follows immediately (with q′ = q) by the choiceof q. Otherwise, by Lemma 8.3.9, count [q`] ≥ n holds at the beginning ofany second search starting at line 9 from a transition from q` to q`+1 (andstill when the top-level search is about to backtrack from the state q`). Lett′ ∈ C ∩ ∆ be a transition from q` to q`+1 with a nonempty guard. If thetop-level search had backtracked from q` before backtracking from q0 (or ifq` = q0), a second search would have been started from the transition t′. Butthen, because count [q`] ≥ n holds at the beginning of this second search(and because q`+1 ∈ visited(t′) necessarily holds by Lemma 8.3.5 at thispoint), it follows by Lemma 8.3.7 that count [q`+1] ≥ n would hold when thetop-level search backtracks from the state q0. This, however, contradicts themaximality of `. Therefore, q` 6= q0 holds, and the top-level search backtracks


from q` only after backtracking from q0 (= q). The result now follows withq′ = q`. �

Corollary 8.3.11 Let C be a maximal strongly connected component of theautomaton, and let q ∈ C ∩Q be the first state of the component entered inthe top-level search. Let q ∈ C ∩ Q be a state in the component such thatcount [q] ≥ n holds for some 1 ≤ n ≤ |F| when the top-level search is aboutto backtrack from q at line 13. Then, count [q] ≥ n holds when the top-levelsearch is about to backtrack from q.

Proof: The result holds trivially if q = q. Let thus q 6= q. Because count [q] ≥n ≥ 1 holds when the top-level search is about to backtrack from the state qat line 13, then, by Lemma 8.3.10, there exists a state q′ ∈ C ∩ Q, q′ 6= q,from which the top-level search backtracks after backtracking from the stateq, and count [q′] ≥ n holds when this occurs.

By repeating the argument, we can now construct a sequence of distinctstates q, q′, . . . ∈ C ∩ Q such that for any state q′′ in the sequence, the top-level search backtracks from the state q′′ only after backtracking from all statesthat precede it in the sequence, and count [q′′] ≥ n holds when the top-levelsearch backtracks from q′′. Because C is finite and q is the last state in Cfrom which the top-level search backtracks, the sequence ends with the stateq, and the result follows. �

On the other hand, when the top-level search is about to backtrack fromthe first state q of the component C entered in the top-level search, thefollowing relationship holds between count [q] and the values stored in thecount table for other states in the component.

Lemma 8.3.12 Let C be a maximal strongly connected component of theautomaton, and let q ∈ C ∩Q be the first state of the component entered inthe top-level search. Assume that count [q] = n holds for some 0 ≤ n ≤ |F|when the top-level search backtracks from q at line 13. Then, count [q] ≥ nholds for all q ∈ C ∩Q at this point.

Proof: The result holds trivially if n = 0. For the rest of the proof, we assumethat n > 0 holds. Let q ∈ C ∩ Q. Because q and q belong to the samemaximal strongly connected component, there exists a path from q to q inthe automaton such that the path corresponds to a (possibly empty) chain oftransitions with nonempty guards. We proceed by induction on the numberof transitions in the chain.

If the chain is empty, then q = q, and the result holds for the state qtrivially.

Assume that the result holds for all states in C to which there exists apath from q corresponding to a shortest chain of 0 ≤ k < ω transitions withnonempty guards, and let q ∈ C ∩ Q be a state that is reachable from qvia a shortest chain (ti)

ki=0 of k + 1 transitions with nonempty guards (ti =⟨

qi,Γi, Fi, {qi+1}⟩∈ ∆ for all 0 ≤ i ≤ k, q0 = q, and qk+1 = q). Clearly,

qk is reachable from q via a path that corresponds to a chain of k transitionswith nonempty guards, and because q, q ∈ C, qk ∈ C holds also. By the


induction hypothesis, count [qk] ≥ n > 0 holds when the top-level searchbacktracks from q. This implies the existence of a transition t ∈ ∆ suchthat count [qk] was first updated to a value greater than or equal to n duringa second search started (at line 9) from the transition t. It follows that thealgorithm reached line 20 such that the program variable q′ referred to thestate qk with c ≥ n. Let t′ ∈ C ∩ ∆ be a transition (with a nonempty guard)from qk to q. By Lemma 8.3.8, the algorithm will call the second searchprocedure recursively for the transition t′ such that c ≥ n holds at line 18 atthe beginning of this call. Furthermore, by the choice of q, this call occursbefore the top-level search backtracks from the state q. By Lemma 8.3.7, itfollows that count [q] ≥ n holds when the top-level search backtracks from q.

The result now follows by induction for all states q ∈ C ∩Q. �

A maximal strongly connected component C that contains an acceptingcycle includes an f -transition (with a nonempty guard) for every acceptancecondition f ∈ F . We wish to use Corollary 8.3.11 to show that the existenceof such transitions forces the condition at line 10 to hold in the first state of Centered in the top-level search. However, Corollary 8.3.11 does not directlyrefer to such f -transitions. We therefore need the following technical result,which establishes a connection between the existence of an fn-transition (inC) for some 1 ≤ n ≤ |F| and a state q ∈ C ∩ Q for which count [q] ≥ nholds when the top-level search is about to backtrack from the state.

Lemma 8.3.13 Let C be a maximal strongly connected component of theautomaton, and let q ∈ C ∩ Q be the first state of the component enteredin the top-level search. Let tfn+1 =

⟨qfn+1 ,Γfn+1, Ffn+1 , {q

′fn+1

}⟩∈ C ∩ ∆

be an fn+1-transition of A (with fn+1 ∈ Ffn+1 and Γfn+1 6= ∅) for some 0 ≤n < |F|. Assume that, before the top-level search backtracks from the stateq, the SECOND-SEARCH procedure is called at line 9 or 25 of the algorithmwith tfn+1 as a parameter such that c ≥ n holds at the beginning of this callat line 18. There exists a state q ∈ C ∩ Q such that count [q] ≥ n + 1 holdswhen the top-level search is about to backtrack from the state q at line 13.

Proof: Clearly, the call to the SECOND-SEARCH procedure with tfn+1 as aparameter occurs during a second search started at line 9 from a transitiont ∈ ∆ such that there exists a path (corresponding to a possibly empty chainof transitions with nonempty guards) from the source state of t to the stateqfn+1 in the automaton. Because c ≥ n holds at line 18 and fn+1 ∈ Ffn+1 , itactually follows that c ≥ n+1 holds at line 18, and thus count [q′fn+1

] ≥ n+1holds at the end of the second search from t by Lemma 8.3.7.

Because q′fn+1∈ C holds, there exists a path from q′fn+1

to q that corre-sponds to a (possibly empty) chain of transitions with nonempty guards thatvisits only states in C. Thus there exists a path from the source state q0 oft to q (corresponding to a nonempty chain of transitions whose guards arenonempty) in the automaton. Let q0, q1, . . . , qk ∈ Q (1 ≤ k < ω, qk = q,qi = q′fn+1

for some 1 ≤ i ≤ k, and qj ∈ C for all i ≤ j ≤ k) be the listof consecutive states in this path. Because count [q′fn+1

] ≥ n + 1 holds at theend of the second search from t, there exists a maximal index i ≤ ` ≤ k suchthat count [q`] ≥ n+ 1 holds at this point.


If ` = k holds, then the result follows (with q = q) by the choice of q.Otherwise count [q`] ≥ n+ 1 holds when the algorithm is about to backtrackfrom the state q` by Lemma 8.3.9, and the result holds with q = q` becauseq` ∈ C. �

We can now prove the completeness of the algorithm.

Proposition 8.3.14 Let A = 〈Σ, Q,∆, qI ,F〉 (where F = {f1, f2, . . . , fn}is a nonempty finite set of 1 ≤ n < ω acceptance conditions) be a nondeter-ministic automaton (working in inf-acceptance mode) given as input for thealgorithm. If A contains an accepting cycle, the algorithm reports that thelanguage inf-recognized by A is not empty.

Proof: Because the automaton A contains an accepting cycle, A has a maxi-mal strongly connected component C ⊆ Q ∪ ∆ that includes a state reach-able from qI via a chain of transitions with nonempty guards, and an fi-transition (with a nonempty guard) for all 1 ≤ i ≤ |F|. Let q be the first stateof C entered in the top-level search.

Assume that count [q] = m < n holds when the top-level search is aboutto backtrack from the state q. By Lemma 8.3.12, it follows that count [q] ≥ mholds for all q ∈ C ∩Q at this point.

Because C contains an accepting cycle, there exists an fm+1-transitiontm+1 ∈ C ∩ ∆ with a nonempty guard. We claim that the algorithm callsthe second search procedure at line 9 or 25 for the transition tm+1 such thatc ≥ m holds at line 18 at the beginning of this call. This is clear if m = 0,because a second search is started from every transition in C before the top-level search backtracks from the state q. If m > 0, then, because count [q] ≥m holds for all q ∈ C ∩ Q before the top-level search backtracks from thestate q (but count [q] = 0 holds for all q ∈ C ∩ Q initially), the algorithmreached line 20 such that the program variable q′ referred to the source stateof tm+1 with c ≥ m before the top-level search backtracks from q. In this casethe second search procedure will be called for the transition tm+1 (before thetop-level search backtracks from q) such that c ≥ m holds at line 18 at thebeginning of this call by Lemma 8.3.8.

Because c ≥ m holds at line 18 when the second search procedure iscalled with the transition tm+1 (which is an fm+1-transition of A) as a param-eter, it now follows by Lemma 8.3.13 that there exists a state qm+1 ∈ C ∩ Qsuch that count [qm+1] ≥ m + 1 holds before the top-level search backtracksfrom qm+1. But then, by Corollary 8.3.11, count [q] ≥ m+ 1 holds when thetop-level search backtracks from the state q. This contradicts the assumptionthat count [q] = m < n holds at this point.

It follows that count [q] ≥ n necessarily holds when the top-level searchbacktracks from q (and count [q] = n, because c ≤ n clearly holds always atline 20, the only location where the value of count [q] may change). There-fore, because q ∈ C is the source state of at least one transition with anonempty guard, the algorithm will report that the language inf-recognizedby the automaton is not empty at line 10 before the top-level search back-tracks from q (at the latest, after a second search from the last transition ex-amined in the loop between lines 5 and 11 with q on top of path_stack ).

�


8.3.3 Compatibility with Enhancements of Classic Nested Depth-First Search

This section lists some observations [Tauriainen 2005, 2006] on the compat-ibility of the language emptiness checking algorithm with techniques usedwith the classic nested depth-first search algorithm. Many of these tech-niques are designed to be used in the specific context of verification, wherethe nondeterministic automata are built on-the-fly as “products” of severalsmaller components. The exact form of the product operation depends onthe semantics of the components, which may not be strictly defined as au-tomata. A classic example of a product operation is the synchronous prod-uct of a finite number (1 ≤ n < ω) of nondeterministic automata Ai =

〈Σi, Qi,∆i, qIi,Fi〉 (1 ≤ i ≤ n) defined as the automaton Adef=

⟨ ⋃1≤i≤n Σi,

Q1 ×Q2 × · · · ×Qn,∆, 〈qI1, qI2, . . . , qIn〉,⋃

1≤i≤n

(Fi × {i}

)⟩, where

∆def=

{⟨〈q1, q2, . . . , qn〉,

⋂1≤i≤n Γi,

⋃1≤i≤n

(Fi × {i}

), {〈q′1, q

′2, . . . , q

′n〉}

⟩⟨qi,Γi, Fi, {q

′i}

⟩∈ ∆i for all 1 ≤ i ≤ n

}.

If the automata Ai share the same alphabet Σ, it is straightforward to checkthat the automaton A inf-accepts a word w ∈ Σω iff w ∈

⋂1≤i≤n Linf(Ai)

holds. (As illustrated by the definition of the synchronous product, the num-ber of transitions generated by product constructions is often exponential inthe number of components in the product. This feature provides motiva-tion for minimizing the number of states explored by a language emptinesschecking algorithm [Schwoon and Esparza 2005].)

Constructing Accepting Cycles

In addition to checking the languages inf -recognized by nondeterministicautomata for emptiness, verification usually includes the additional task offinding accepting cycles for automata with nonempty languages to be usedas “counterexamples” for showing why a verification run failed. Unlike theclassic nested depth-first search algorithm [Courcoubetis et al. 1991, 1992],the emptiness checking algorithm of Fig. 8.2 does not support extracting ac-cepting cycles directly from its internal data structures when reporting lan-guage nonemptiness (except for a path from the initial state of the automatonto a state visited by an accepting cycle). In principle, it is straightforward toconstruct an actual accepting cycle using additional search in the automaton,for example, by using techniques suggested by Latvala and Heljanko [1999,2000]. (This search can be restricted to states explored in the emptinesssearch algorithm.)

Optimizations

A standard heuristic to speed up the detection of language nonemptinessis to use information about the states in the top-level search stack to aborta second search as soon as possible [Holzmann et al. 1997]: it is easy to seefrom Lemma 8.3.3 that language nonemptiness can be reported immediatelywhen a second search updates count [q] to the value |F| at line 20 of thealgorithm for a state q currently in the top-level search stack. States in thestack can be distinguished easily by using an additional bit of memory perstate in the search hash table [Holzmann et al. 1997].


It is easy to show that the second search started from a transition couldalways be restricted to the maximal strongly connected component (or anyoverapproximation thereof) which contains the source state of the transition:if the source state and the target state of a transition t belong to differentmaximal strongly connected components, it follows that no state in the top-level search stack can be reached via a chain of transitions beginning with thetransition t (and thus count [q] will not change for any state q in the top-levelsearch stack when exploring states reachable via the transition t). Althoughit does not make sense to find the maximal strongly connected componentsof the automaton in order to run the NDFS algorithm, partial informationon the components may nevertheless be available if the automaton is builtas the product of smaller component automata. As suggested by Edelkampet al. [2001, 2004], the often more easily computable information on themaximal strongly connected components of the component automata canbe used to limit the extent of second searches in the NDFS algorithm.

The algorithm in Fig. 8.2 enhanced with the above optimization from[Holzmann et al. 1997] is compatible also with a heuristic suggested by Cou-vreur et al. [2005] to further speed up the detection of language nonempti-ness. Intuitively, whereas the enhanced algorithm considers only the accep-tance conditions “seen” in a chain of transitions beginning from the sourcestate of a second search when testing whether a state reached in the top-levelsearch stack closes an accepting cycle, it is sometimes possible to detect lan-guage nonemptiness faster by considering also the conditions in a chain oftransitions from this state to the state currently on the top of the top-levelsearch stack [Couvreur et al. 2005].

Partial Order Reduction

The effort needed for state space exploration in verification (language empti-ness checking) algorithms can often be reduced significantly by identifyingparts of the state space which can be ignored in the search without com-promising the completeness of the algorithm. For example, using conceptssuch as independence between transitions (defined in terms of the semanticsof the components from which the automaton is built), the classic nesteddepth-first search algorithm can be combined with on-the-fly partial orderreduction [Peled 1994, 1996] to restrict the set of successors to explore froma given state of the state space. From a purely theoretical viewpoint, par-tial order reduction can be seen as an automaton transformation which pre-serves the emptiness or nonemptiness of its language; in principle, a languageemptiness checking algorithm can be combined with any such transforma-tion to obtain a sound and complete verification procedure.

In practice, however, combining state space reductions with languageemptiness checking may require additional effort to ascertain that the reduc-tion will not interfere with the preservation of language (non)emptiness. Forexample, in the case of partial order reduction and classic nested depth-firstsearch, extra memory may be needed to ensure that revisiting a state dur-ing a second search will not affect the set of successors chosen for the statewhen it was first visited [Holzmann et al. 1997]. The techniques suggestedin [Holzmann et al. 1997] apply also to the algorithm in Fig. 8.2 to make itcompatible with partial order reduction.


Bitstate Hashing and Hash Compaction

Explicit-state model checking tools employ probabilistic state explorationtechniques such as bitstate hashing [Holzmann 1987, 1988] or hash com-paction [Wolper and Leroy 1993; Stern and Dill 1995, 1996] to reduce mem-ory usage at the risk of losing the completeness of the language emptinesschecking algorithm by exploring only a part of the state space of the automa-ton, using hash functions that may map several states of the automaton to thesame entry in the search hash table. Compatibility with bitstate hashing wasoriginally considered to be one of the main advantages of the classic nesteddepth-first search algorithm [Courcoubetis et al. 1991, 1992] over alterna-tive language emptiness checking algorithms, although recent research onthese algorithms has shown bitstate hashing to be applicable as well to algo-rithms based on Tarjan’s algorithm [Geldenhuys and Valmari 2005]. Below,we list changes needed to make the language emptiness checking algorithmpresented in this chapter compatible with imperfect hashing.

The soundness of the language emptiness checking algorithm shown inFig. 8.2 rests on the property that count [q] ≥ n holds for some state q cur-rently in the top-level search stack for some 1 ≤ n ≤ |F| only if the au-tomaton contains a cycle which visits the state q and fulfills the acceptancecondition fn (Lemma 8.3.3). Unfortunately, this property cannot be guaran-teed with imperfect hashing without a way to keep exact track of the contentsof the count table for states currently in the top-level search stack. A sim-ple possibility is to store the values associated with the states in the stack ina separate hash table that is always consulted first when accessing entries inthe count table during second searches. When a state q is entered in thetop-level search, count [q] should be set to zero in this hash table; conversely,updates made to this table should be copied back to the imperfectly hashedpart of the table when the top-level search backtracks from the state q. (Toensure that the algorithm still works within the bound given in Table 8.1 forthe number of states visited by the algorithm, the update should not be done,however, if the value of count [q] would decrease in the imperfectly hashedpart of the table.)

The feasibility of the above strategy in the reduction of memory require-ments depends critically on the assumption that the depth of the top-levelsearch stack remains small in comparison with the number of states in the au-tomaton. Unfortunately, there exists experimental evidence [Pelánek 2004]suggesting that this assumption does not usually hold for depth-first state ex-ploration algorithms in actual verification examples.

State Space Caching

Restricting the second searches to states that have been explored in the top-level search makes the generalized algorithm incompatible with state spacecaching techniques [Holzmann 1985; Godefroid et al. 1993, 1995], whichreduce the memory requirements of the search at the risk of repeating thesearch multiple times in parts of the automaton; the completeness of the al-gorithm is not preserved, for example, in the extreme case when only thestates in the top-level search stack are kept in the state space cache. This alsomakes it impossible to apply heuristics for choosing which states to keep inthe set of visited states (see, e.g., [Brim et al. 2001]). Making the algorithm


compatible with state space caching therefore limits opportunities for remov-ing states from the visited set. However, the requirements on the count tablecan be relaxed somewhat: for example, entries that do not refer to states cur-rently in the top- or second-level search stacks need not be kept in this table.(Making this work nevertheless requires ensuring that, when backtracking toa state during a second search, the iteration over the transitions beginningfrom the state at line 24 is never continued from a transition that has alreadybeen processed.)


9 CONCLUSION

The close connection between linear time temporal logic and self-loop al-ternating automata gives rise to conceptually simple translation proceduresbetween LTL and automata. To implement decision procedures for thislogic and its applications, the alternating automata built from formulas inthe logic are usually translated explicitly or implicitly into nondeterminis-tic automata, which can then be analyzed using, for example, well-knownsimple graph algorithms. The worst-case exponential combinatorial cost ofnondeterminization makes the behavior of the decision procedures very sen-sitive to the properties of the alternating automata: intuitively, even smallchanges to the alternating automata may have visible effects on the results ofnondeterminization. This motivates the study of methods for optimizing thetranslation of LTL into self-loop alternating automata. Even though the non-deterministic automata built from self-loop alternating automata still haveexponential size in the length of an LTL specification in the worst case, thetranslation from LTL into nondeterministic automata may be manageablein a more robust way as separate, more easily understandable subtasks, asevidenced also by practical observations on the difficulty of implementingefficient translation procedures for LTL correctly [Tauriainen and Heljanko2000, 2002]. Additionally, it is in some cases possible to speed up on-the-fly verification by combining nondeterminization of alternating automata di-rectly with language emptiness checking [Hammer et al. 2005].

Although the differences between state-based and transition-based, and onthe other hand, nongeneralized and generalized, Büchi acceptance are sim-ple in a theoretical sense, this work illustrates and reinforces in a single frame-work the well-known advantages of using generalized transition-based accep-tance for both understanding and even implementing the LTL verificationprocedure [Couvreur 1999; Gastin and Oddoux 2001; Giannakopoulou andLerda 2002; Thirioux 2002]. The constructions involving self-loop alternat-ing automata built from LTL formulas benefit from the generalized notionof acceptance: the acceptance conditions of the automata can easily be usedfor encoding semantic properties of LTL formulas ([Gerth et al. 1995; Gastinand Oddoux 2001]; Sect. 3.1.1), and transition-based acceptance allows sep-arating purely “structural” features of the constructions from the semanticsof acceptance. For example, generalized transition-based acceptance allowsthe basic state-transition structure of nondeterministic automata built fromself-loop alternating automata to be defined, in effect, by adapting the classicsubset construction ([Gastin and Oddoux 2001]; Theorem 4.2.1). Althoughthis opportunity is not unique to using the transition-based notion of accep-tance [Hammer et al. 2005], the state-based construction of Hammer et al.[2005] nevertheless applies only to a subclass of very weak alternating au-tomata, whereas our transition-based approach covers all self-loop alternat-ing automata, however, at the—in the general case, unavoidable—cost ofincreasing the number of acceptance conditions in the subset construction(Proposition 4.2.3). However, the introduction of new acceptance conditionscan be avoided when working with automata that have uniform acceptancesynchronized accepting runs on all words in their language (Theorem 4.3.2).

9. CONCLUSION 209

Most importantly, all automata built from LTL formulas using the translationrules presented in this work (Sect. 3.1, Table 3.1, Table 5.2, Table 5.3) havethis property (by Proposition 4.3.5, via Lemma 4.3.8, Proposition 5.4.3, andProposition 5.5.1); in comparison, the construction of Hammer et al. [2005]depends on using additional rewrite rules for LTL formulas to ensure that theautomata belong to the intended subclass.

Also syntactic optimization techniques proposed for direct translation al-gorithms from LTL into nondeterministic automata [Daniele et al. 1999;Giannakopoulou and Lerda 2002] can easily be described as modificationsto the nondeterminization construction (Sect. 4.5). Further improvementsto the translation procedure are easily understood by making use of infor-mation on language containment relationships between self-loop alternatingautomata (Sect. 5.3); these relationships were essential also in the design ofthe refined translation rules that can be used as heuristics to reduce univer-sal choice in the automata (Table 5.2, Table 5.3). In most cases, the op-timized nondeterminization construction remains applicable also when re-moving redundant transitions from the automata (Sect. 6.2.5). Because LTLand self-loop alternating automata have the same expressive power ([Rohde1997; Löding and Thomas 2000]; Theorem 3.3.2, Theorem 3.4.2), the lan-guage containment based improvements to the translation procedure can, inprinciple, be implemented effectively without a general complementationprocedure for alternating automata—in many cases, by simply reusing thebasic translation procedure from LTL into self-loop alternating automata.

Transition-based acceptance is useful also for extending known syntacticsubclasses of LTL [Schneider 1999; Maidl 2000a] (shown to be expressivelyclosely related in Sect. 4.6.4 of this work) which can be translated directlyinto self-loop nondeterministic automata without applying the subset con-struction (Sect. 4.6, Sect. 5.6.3). For example, even though there is no veryweak nondeterministic automaton (in the sense of Rohde [1997] or Gastinand Oddoux [2001], i.e., using state-based acceptance) recognizing the mod-els of the LTL formula GFp for an atomic proposition p, transition-based ac-ceptance allows formulas of this form (and, as a matter of fact, also their logi-cal conjunctions) to be naturally expressed as single-state self-loop automata,which can furthermore be obtained effectively using the refined translationrules (Table 5.2, Table 5.3). Additionally, the automata-theoretic study ofthese subclasses of LTL leads easily to simple NP-completeness results ontheir satisfiability (Corollary 4.6.11, Proposition 5.6.7). These syntactic sub-classes differ from classic subclasses whose satisfiability is NP-complete byrestricting the ways to combine subformulas into compound formulas insteadof the set of operators allowed to occur in the formulas.

Finally, generalized transition-based acceptance can also be handled di-rectly in language emptiness checking algorithms for nondeterministic au-tomata without the need to translate the automata to simpler formalisms[Couvreur 1999; Tauriainen 2004, 2006]. In particular, because the blow-up caused by translating generalized acceptance into nongeneralized accep-tance cannot be avoided in the general case (Proposition 8.2.1), bypassingdegeneralization of automata leads to a new variant of the nested depth-firstsearch language emptiness checking algorithm of Courcoubetis et al. [1991,1992] (Sect. 8.3) with improved worst-case resource requirements under gen-

210 9. CONCLUSION

eralized acceptance (see Table 8.1). The author has contributed an imple-mentation of the search heuristic used in this algorithm to version 0.3 of theopen source model checking library Spot [Duret-Lutz and Poitrenaud 2004].

Directions for Further Work

Implementing and extending the translation procedure. The first obvi-ous task for further work is to implement the high-level translation procedurepresented in Ch. 7 to evaluate its feasibility in practice. On a more theoreti-cal level, the translation procedure should be extended with translation rulesfor past time LTL connectives. There are freely available tools for testing thecorrectness of implementations of translation procedures from future timeLTL into automata [Tauriainen and Heljanko 2000, 2002]; such tools canalso be used for benchmarking purposes.

“Top-down” vs. “bottom-up” translation. Unlike tableau-based transla-tion algorithms, the proposed construction for translating LTL into alternat-ing automata does not support on-demand definition of an automaton start-ing from its initial state [Gerth et al. 1995; Bollig and Leucker 2001, 2003];obviously, a “top-down” version of the translation procedure would be veryattractive for being directly combined with on-the-fly nondeterminization oremptiness checking techniques. This feature is not unique to the proposedtranslation, however, as the need for constructing an automaton in full is alsoimplicit, for example, in the design of simulation-based minimization tech-niques for alternating and nondeterministic automata. Furthermore, becausethe number of states in an alternating automaton built from an LTL formulais linear in the length of the formula, the translation from LTL into alter-nating automata is intuitively less prone to exhibit the worst-case exponen-tial space requirements than direct explicit translation algorithms from LTLinto nondeterministic automata. A task for further work is to see whether thetranslation procedure could be implemented in a top-down manner while re-taining the applicability of at least some of the techniques used to minimizean automaton during the translation.

Explicit vs. symbolic definitions for alternating automata. Many of theproposed structural optimizations to self-loop alternating automata dependon the explicit notion of a transition of an alternating automaton. As a mat-ter of fact, the explicit encoding for the transition relation of an automatonis rather unattractive in a complexity-theoretic sense: for example, becausecomplementing an alternating automaton may result in an exponential blow-up in the automaton’s explicit representation, polynomial space automataconstructions which depend on the possibility to complement automata inpolynomial space do not trivially remain so when using the explicit defini-tion. Similarly, the basic translation procedure from LTL into self-loop alter-nating automata has exponential worst-case space complexity in the lengthof LTL specifications. Of course, this feature is common to translation pro-cedures for constructing automata from LTL formulas explicitly. An obvioustask for further work is to investigate whether transition-based generalized ac-ceptance and any of the explicit techniques for removing transitions couldbe combined with (or explained in terms of) traditional Boolean encodings

9. CONCLUSION 211

of the transition relation.

Cost of improvements to the translation procedure. Most of the proposedimprovements to the translation procedure make use of language contain-ment tests between self-loop alternating automata. Even though the lan-guage emptiness checks in the high-level algorithm of Ch. 7 can be per-formed in exponential space in essentially a single application of a nonde-terminization construction, the practicability of this procedure is neverthe-less likely to depend critically on heuristics to ensure that the language con-tainment testing is applied only conservatively due to the high worst-caseresource requirements. As a matter of fact, it is a valid question whether LTLformulas used in verification applications (which often have only few tem-poral operators with shallow nesting of temporal subformulas) exhibit redun-dancies which display as language containment between subformulas. Thisquestion can be answered only with experimental evaluation of the transla-tion procedure. Some of the suggested techniques are nevertheless applica-ble without the need for testing for language containment and could there-fore be used for improving related translation procedures that do not rely onsuch tests. For example, combining the universally applicable refined transla-tion rules with standard techniques for removing redundant transitions fromautomata sometimes reduces the number of transitions in the generated au-tomata from exponential to polynomial in the length of a formula for certainfamilies of LTL formulas (Ex. 6.2.12, Ex. 6.2.13).

Applications of acceptance synchronized runs. Despite the simple formof the results obtained by arguing about uniform acceptance synchronizedruns of alternating automata (for example, the optimized universal subsetconstruction of Theorem 4.3.2 and the refined translation rule for the ∧ con-nective in Table 5.2), checking for the preservation of the conditions thatimply the existence of such runs (Proposition 4.3.5) in optimizations for al-ternating automata is in the general case rather tedious due to the strongsemantic nature of the conditions. (This is apparent already in the proofs ofLemma 5.4.8, Lemma 5.5.4 and Proposition 6.2.8.) For the same reason,even though the result on the applicability of the optimized universal subsetconstruction (Corollary 4.3.7) does not explicitly refer to self-loop alternatingautomata (only acceptance closure and the existence of representative statesfor acceptance), it is an open question whether there actually exist any othereasily characterizable subclasses of alternating automata which could benefitfrom the optimized nondeterminization construction. Identifying such sub-classes would directly give new insight into the problem posed by Kupfermanand Vardi [2004] of searching for subclasses of alternating automata whichsupport optimized translation into nondeterministic automata with general-ized acceptance.

Improved heuristics for detecting redundant transitions. The techniquessuggested for removing redundant transitions from alternating automata(Proposition 6.2.2, Proposition 6.2.3) are obviously limited due to their ap-plicability only to the initial transitions of self-loop alternating automata. Ofcourse, this choice of focus stems from the goal of reducing the effort needed

212 9. CONCLUSION

to apply translation rules in the translation procedure from LTL into self-loop alternating automata. A possible task for further research is to investi-gate whether the results could be generalized or extended to obtain a com-plete “local” characterization of redundant (initial) transitions of self-loop ormore general alternating automata. Such generalizations would likely haveto be based on a weakened notion of substitutability of transitions under fin-acceptance: similarly to distributing the individual elements in the guardof a substituted transition among a set of substituting transitions, also theset intersection of the languages recognized by the subautomata rooted atthe target states of the substituted transition could be divided among severalsubstituting transitions. (In principle, an initial transition of any alternatingautomaton is redundant iff Proposition 2.3.15 still holds after removing thetransition for all words for which it held before removing the transition.) Onthe other hand, designing efficient heuristics for searching for suitable sets oftransitions in Proposition 6.2.2 and Proposition 6.2.3 is already a nonobvioustask with the definition of substitutability used in this work; a weaker defini-tion of substitutability will likely complicate the search for suitable subsets oftransitions. Another possibility for further work is to evaluate the feasibilityof transition redundancy analysis in self-loop alternating automata by makinguse of the connection to linear time temporal logic via the reverse translationprocedure.

Reducing nondeterminism in automata built in translation. Some au-thors [Etessami and Holzmann 2000; Sebastiani and Tonetta 2003] havequestioned whether minimizing the size of a nondeterministic automatonbuilt from a logical specification actually reduces the resources needed forverification in practice: clearly, minimizing the nondeterministic automatononly affects the worst case. As a matter of fact, there is some research andexperimental evidence [Thirioux 2002; Latvala 2003; Sebastiani and Tonetta2003] to support the view that the combinatorial explosion that arises in theactual verification step may be more efficiently reduced in practice by re-placing nondeterministic choice with deterministic choice in the automata.There are some obvious possibilities for trying to increase determinism in thesuggested constructions: for example, the translation rules for the binary tem-poral operators could be based on stronger fixpoint characterizations [Cou-vreur 1999; Thirioux 2002]. Additionally, a new translation rule for the ∨connective (modeled after the refined ∧ rule) could possibly help in “post-poning” nondeterministic choice in branches of runs of automata.

Extending NP-complete syntactic subclasses of LTL. Obviously, the syn-

tactic subclasses of LTL (LTLCND and LTLCND+) which were shown to be

translatable into nondeterministic self-loop automata without applying thesubset construction leave room for further possible extensions: the subclasseswere defined by examining only the translation rules without considering anyof the other suggested optimizations, such as removing transitions from au-tomata. On the other hand, as seen already from the definition of the class

LTLCND+(Sect. 5.6.3), purely syntactic characterizations of such subclasses

may easily degenerate into complex lists of mutually recursive special cases.Alternatively, the translation could be used in an experimental approach to

9. CONCLUSION 213

determining the fraction of LTL formulas (from a finite set of LTL formulasrestricted, for example, by their node size) belonging to such subclasses. Acomparison of the subclass (or any of the other known NP-complete sub-classes of LTL) against formula patterns used in verification [Dwyer et al.1999] could also give new insight into the theoretical complexity of verifica-tion of different types of properties.

214 9. CONCLUSION

BIBLIOGRAPHY

S. Aggarwal, C. Courcoubetis, and P. Wolper. Adding liveness properties tocoupled finite-state machines. ACM Transactions on Programming Lan-guages and Systems, 12(2):303–339, 1990.

M. Ben-Ari, Z. Manna, and A. Pnueli. The temporal logic of branchingtime. In Proceedings of the 8th Annual ACM Symposium on Principlesof Programming Languages (POPL 1981), pages 164–176. Association forComputing Machinery, 1981.

M. Ben-Ari, Z. Manna, and A. Pnueli. The temporal logic of branching time.Acta Informatica, 20(3):207–226, 1983.

S. Ben-David, R. Bloem, D. Fisman, A. Griesmayer, I. Pill, and S. Ruah.Automata construction algorithms optimized for PSL. Deliverable 3.2/4,PROSYD, 2005.

O. Bernholtz, M. Y. Vardi, and P. Wolper. An automata-theoretic approach tobranching-time model checking. In Proceedings of the 6th InternationalConference on Computer Aided Verification (CAV 1994), volume 818of Lecture Notes in Computer Science, pages 142–155. Springer-Verlag,1994.

B. Bollig and M. Leucker. Deciding LTL over Mazurkiewicz traces. In Pro-ceedings of the 8th International Symposium on Temporal Representationand Reasoning (TIME 2001), pages 189–197. IEEE Computer Society,2001.

B. Bollig and M. Leucker. Deciding LTL over Mazurkiewicz traces. Data &Knowledge Engineering, 44(2):219–238, 2003.

D. Bošnacki. A nested depth first search algorithm for model checking withsymmetry reduction. In Proceedings of the 22nd IFIP WG6.1 Interna-tional Conference on Formal Techniques for Networked and DistributedSystems (FORTE 2002), volume 2529 of Lecture Notes in Computer Sci-ence, pages 65–80. Springer-Verlag, 2002.

D. Bošnacki. A light-weight algorithm for model checking with symmetryreduction and weak fairness. In Proceedings of the 10th InternationalSPIN Workshop on Model Checking Software (SPIN 2003), volume 2648of Lecture Notes in Computer Science, pages 89–103. Springer-Verlag,2003.

L. Brim, I. Cerná, and M. Necesal. Randomization helps in LTL modelchecking. In Proceedings of the Joint Workshop on Process Algebra andProbabilistic Methods, Performance Modeling and Verification (PAPM-PROBMIV 2001), volume 2165 of Lecture Notes in Computer Science,pages 105–119. Springer-Verlag, 2001.

R. E. Bryant. Graph-based algorithms for Boolean function manipulation.IEEE Transactions on Computers, 35(8):677–691, 1986.

BIBLIOGRAPHY 215

J. A. Brzozowski and E. Leiss. On equations for regular languages, finiteautomata, and sequential networks. Theoretical Computer Science, 10(1):19–35, 1980.

J. R. Büchi. On a decision method in restricted second order arithmetic. InProceedings of the 1960 International Congress on Logic, Methodologyand Philosophy of Science, pages 1–11. Stanford University Press, 1962.

J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang.Symbolic model checking: 1020 states and beyond. Information and Com-putation, 98(2):142–170, 1992.

D. Bustan, D. Fisman, and J. Havlicek. Automata construction for PSL.Technical Report MSC05-04, The Weizmann Institute of Science, 2005.

D. Bustan and O. Grumberg. Applicability of fair simulation. In Proceedingsof the 8th International Conference on Tools and Algorithms for the Con-struction and Analysis of Systems (TACAS 2002), volume 2280 of LectureNotes in Computer Science, pages 401–414. Springer-Verlag, 2002.

D. Bustan and O. Grumberg. Applicability of fair simulation. Informationand Computation, 194(1):1–18, 2004.

A. K. Chandra, D. C. Kozen, and L. J. Stockmeyer. Alternation. Journal ofthe ACM, 28(1):114–133, 1981.

A. K. Chandra and L. J. Stockmeyer. Alternation. In Proceedings of the 17thAnnual Symposium on Foundations of Computer Science (FOCS 1976),pages 98–108. IEEE Computer Society, 1976.

Y. Choueka. Theories of automata on ω-tapes: A simplified approach. Jour-nal of Computer and System Sciences, 8:117–141, 1974.

E. M. Clarke and I. A. Draghicescu. Expressibility results for linear-time andbranching-time logics. In Linear Time, Branching Time and Partial Orderin Logics and Models for Concurrency, volume 354 of Lecture Notes inComputer Science, pages 428–437. Springer-Verlag, 1989.

E. M. Clarke and E. A. Emerson. Design and synthesis of synchroniza-tion skeletons using branching time temporal logic. In Proceedings ofthe Workshop on Logics of Programs 1981, volume 131 of Lecture Notesin Computer Science, pages 52–71. Springer-Verlag, 1982a.

E. M. Clarke and E. A. Emerson. Using branching time temporal logic tosyntesize synchronization skeletons. Science of Computer Programming,2(3):241–266, 1982b.

E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification offinite state concurrent systems using temporal logic specifications: A prac-tical approach. In Proceedings of the 10th Annual ACM Symposium onPrinciples of Programming Languages (POPL 1983), pages 117–126. As-sociation for Computing Machinery, 1983.

216 BIBLIOGRAPHY

E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification offinite-state concurrent systems using temporal logic specifications. ACMTransactions on Programming Languages and Systems, 8(2):244–263,1986.

E. M. Clarke, O. Grumberg, and K. Hamaguchi. Another look at LTL modelchecking. In Proceedings of the 6th International Conference on Com-puter Aided Verification (CAV 1994), volume 818 of Lecture Notes inComputer Science, pages 415–427. Springer-Verlag, 1994.

E. M. Clarke, O. Grumberg, and K. Hamaguchi. Another look at LTL modelchecking. Formal Methods in System Design, 10(1):47–71, 1997.

E. M. Clarke, O. Grumberg, and D. Peled. Model Checking. The MITPress, 1999.

S. Cook. The complexity of theorem-proving procedures. In Proceedingsof the 3rd Annual ACM Symposium on Theory of Computing (STOC1971), pages 151–158. Association for Computing Machinery, 1971.

C. Courcoubetis, M. Y. Vardi, P. Wolper, and M. Yannakakis. Memory-efficient algorithms for the verification of temporal properties. In Proceed-ings of the 2nd International Conference on Computer-Aided Verification(CAV 1990), volume 531 of Lecture Notes in Computer Science, pages233–242. Springer-Verlag, 1991.

C. Courcoubetis, M. Y. Vardi, P. Wolper, and M. Yannakakis. Memory-efficient algorithms for the verification of temporal properties. FormalMethods in System Design, 1:275–288, 1992.

J.-M. Couvreur. On-the-fly verification of linear temporal logic. In Proceed-ings of the FM’99 World Congress on Formal Methods in the Develop-ment of Computing Systems, Volume I, volume 1708 of Lecture Notes inComputer Science, pages 253–271. Springer-Verlag, 1999.

J.-M. Couvreur, A. Duret-Lutz, and D. Poitrenaud. On-the-fly emptinesschecks for generalized Büchi automata. In Proceedings of the 12th In-ternational SPIN Workshop on Model Checking Software (SPIN 2005),volume 3639 of Lecture Notes in Computer Science, pages 169–184.Springer-Verlag, 2005.

M. Daniele, F. Giunchiglia, and M. Y. Vardi. Improved automata genera-tion for linear temporal logic. In Proceedings of the 11th InternationalConference on Computer Aided Verification (CAV 1999), volume 1633of Lecture Notes in Computer Science, pages 249–260. Springer-Verlag,1999.

G. G. de Jong. An automata theoretic approach to temporal logic. In Pro-ceedings of the 3rd International Conference on Computer Aided Verifi-cation (CAV 1991), volume 575 of Lecture Notes in Computer Science,pages 477–487. Springer-Verlag, 1992.

BIBLIOGRAPHY 217

S. Demri and Ph. Schnoebelen. The complexity of propositional linear tem-poral logics in simple cases. In Proceedings of the 15th Annual Sympo-sium on Theoretical Aspects of Computer Science (STACS 1998), vol-ume 1373 of Lecture Notes in Computer Science, pages 61–72. Springer-Verlag, 1998.

S. Demri and Ph. Schnoebelen. The complexity of propositional linear tem-poral logics in simple cases. Information and Computation, 174(1):84–103, 2002.

A. Duret-Lutz and D. Poitrenaud. SPOT: an extensible model checking li-brary using transition-based generalized Büchi automata. In Proceedingsof the 12th IEEE/ACM International Symposium on Modeling, Analy-sis, and Simulation of Computer and Telecommunication Systems (MAS-COTS 2004), pages 76–83. IEEE Computer Society, 2004.

M. B. Dwyer, G. S. Avrunin, and J. C. Corbett. Patterns in property specifica-tions for finite-state verification. In Proceedings of the 1999 InternationalConference on Software Engineering (ICSE 1999), pages 411–420. Asso-ciation for Computing Machinery, 1999.

S. Edelkamp, A. Lluch Lafuente, and S. Leue. Directed explicit modelchecking with HSF-SPIN. In Proceedings of the 8th International SPIN

Workshop on Model Checking Software (SPIN 2001), volume 2057 ofLecture Notes in Computer Science, pages 57–79. Springer-Verlag, 2001.

S. Edelkamp, S. Leue, and A. Lluch-Lafuente. Directed explicit-state modelchecking in the validation of communication protocols. International Jour-nal on Software Tools for Technology Transfer (STTT), 5(2–3):247–267,2004.

E. A. Emerson. Temporal and modal logic. In Handbook of TheoreticalComputer Science: Formal Models and Semantics, volume B, pages 995–1072. Elsevier, 1990.

E. A. Emerson and J. Y. Halpern. “Sometimes” and “not never” revis-ited: On branching versus linear time. In Proceedings of the 10th An-nual ACM Symposium on Principles of Programming Languages (POPL1983), pages 127–140. Association for Computing Machinery, 1983.

E. A. Emerson and J. Y. Halpern. “Sometimes” and “not never” revisited:On branching versus linear time temporal logic. Journal of the ACM, 33(1):151–178, 1986.

E. A. Emerson and C. S. Jutla. Tree automata, mu-calculus and determi-nacy. In Proceedings of the 32nd Annual Symposium on Foundations ofComputer Science (FOCS 1991), pages 368–377. IEEE Computer Soci-ety, 1991.

E. A. Emerson, C. S. Jutla, and A. P. Sistla. On model checking for fragmentsof µ-calculus. In Proceedings of the 5th International Conference onComputer Aided Verification (CAV 1993), volume 697 of Lecture Notesin Computer Science, pages 385–396. Springer-Verlag, 1993.

218 BIBLIOGRAPHY

E. A. Emerson, C. S. Jutla, and A. P. Sistla. On model checking for theµ-calculus and its fragments. Theoretical Computer Science, 258(1–2):491–522, 2001.

E. A. Emerson and A. P. Sistla. Deciding branching time logic. In Pro-ceedings of the 16th Annual ACM Symposium on Theory of Comput-ing (STOC 1984), pages 14–24. Association for Computing Machinery,1984a.

E. A. Emerson and A. P. Sistla. Deciding full branching time logic. Informa-tion and Control, 61(3):175–201, 1984b.

K. Etessami. Stutter-invariant languages, ω-automata, and temporal logic.In Proceedings of the 11th International Conference on Computer AidedVerification (CAV 1999), volume 1633 of Lecture Notes in Computer Sci-ence, pages 236–248. Springer-Verlag, 1999.

K. Etessami. A hierarchy of polynomial-time computable simulations for au-tomata. In Proceedings of the 13th International Conference on Concur-rency Theory (CONCUR 2002), volume 2421 of Lecture Notes in Com-puter Science, pages 131–144. Springer-Verlag, 2002.

K. Etessami and G. J. Holzmann. Optimizing Büchi automata. In Pro-ceedings of the 11th International Conference on Concurrency Theory(CONCUR 2000), volume 1877 of Lecture Notes in Computer Science,pages 153–167. Springer-Verlag, 2000.

K. Etessami, Th. Wilke, and R. A. Schuller. Fair simulation relations, par-ity games, and state space reduction for Büchi automata. In Proceedingsof the 28th International Colloquium on Automata, Languages, and Pro-gramming (ICALP 2001), volume 2076 of Lecture Notes in ComputerScience, pages 694–707. Springer-Verlag, 2001.

K. Etessami, Th. Wilke, and R. A. Schuller. Fair simulation relations, paritygames, and state space reduction for Büchi automata. SIAM Journal onComputing, 34(5):1159–1175, 2005.

C. Fritz. Constructing Büchi automata from linear temporal logic usingsimulation relations for alternating Büchi automata. In Proceedings ofthe 8th International Conference on Implementation and Application ofAutomata (CIAA 2003), volume 2759 of Lecture Notes in Computer Sci-ence, pages 35–48. Springer-Verlag, 2003.

C. Fritz. Concepts of automata construction from LTL. In Proceedings ofthe 12th International Conference on Logic for Programming, ArtificialIntelligence, and Reasoning (LPAR 2005), volume 3835 of Lecture Notesin Computer Science, pages 728–742, 2005.

C. Fritz and Th. Wilke. State space reductions for alternating Büchi au-tomata: Quotienting by simulation equivalences. In Proceedings of the22nd Conference on Foundations of Software Technology and Theoreti-cal Computer Science (FSTTCS 2002), volume 2556 of Lecture Notes inComputer Science, pages 157–168. Springer-Verlag, 2002.

BIBLIOGRAPHY 219

C. Fritz and Th. Wilke. Simulation relations for alternating Büchi automata.Theoretical Computer Science, 338(1–3):275–314, 2005.

D. Gabbay, A. Pnueli, S. Shelah, and J. Stavi. On the temporal analysis offairness. In Proceedings of the 7th Annual ACM Symposium on Principlesof Programming Languages (POPL 1980), pages 163–173. Association forComputing Machinery, 1980.

P. Gastin, R. Meyer, and A. Petit. A (non-elementary) modular decision pro-cedure for LTrL. In Proceedings of the 23rd International Symposium onMathematical Foundations of Computer Science (MFCS 1998), volume1450 of Lecture Notes in Computer Science, pages 356–365. Springer-Verlag, 1998.

P. Gastin, P. Moro, and M. Zeitoun. Minimization of counterexamples inSPIN. In Proceedings of the 11th International SPIN Workshop on ModelChecking Software (SPIN 2004), volume 2989 of Lecture Notes in Com-puter Science, pages 92–108. Springer-Verlag, 2004.

P. Gastin and D. Oddoux. Fast LTL to Büchi automata translation. In Pro-ceedings of the 13th International Conference on Computer Aided Verifi-cation (CAV 2001), volume 2102 of Lecture Notes in Computer Science,pages 53–65. Springer-Verlag, 2001.

P. Gastin and D. Oddoux. LTL with past and two-way very-weak alternatingautomata. In Proceedings of the 28th International Symposium on Math-ematical Foundations of Computer Science (MFCS 2003), volume 2747of Lecture Notes in Computer Science, pages 439–448. Springer-Verlag,2003.

M. C. W. Geilen. On the construction of monitors for temporal logic prop-erties. Electronic Notes in Theoretical Computer Science, 55(2), 2001.

J. Geldenhuys and A. Valmari. Tarjan’s algorithm makes on-the-fly LTL ver-ification more efficient. In Proceedings of the 10th International Con-ference on Tools and Algorithms for the Construction and Analysis of Sys-tems (TACAS 2004), volume 2988 of Lecture Notes in Computer Science,pages 205–219. Springer-Verlag, 2004.

J. Geldenhuys and A. Valmari. More efficient on-the-fly LTL verificationwith Tarjan’s algorithm. Theoretical Computer Science, 345(1):60–82,2005.

R. Gerth, D. Peled, M. Y. Vardi, and P. Wolper. Simple on-the-fly auto-matic verification of linear temporal logic. In Proceedings of the 15thIFIP WG6.1 International Symposium on Protocol Specification, Testingand Verification (PSTV 1995), pages 3–18. Chapman & Hall, 1995.

D. Giannakopoulou and F. Lerda. From states to transitions: Improvingtranslation of LTL formulae to Büchi automata. In Proceedings of the22nd IFIP WG6.1 International Conference on Formal Techniques forNetworked and Distributed Systems (FORTE 2002), volume 2529 of Lec-ture Notes in Computer Science, pages 308–326. Springer-Verlag, 2002.

220 BIBLIOGRAPHY

P. Godefroid and G. J. Holzmann. On the verification of temporal properties.In Proceedings of the IFIP TC6/WG6.1 13th International Symposium onProtocol Specification, Testing and Verification (PSTV 1993), pages 109–124. North-Holland, 1993.

P. Godefroid, G. J. Holzmann, and D. Pirottin. State-space caching revisited.In Proceedings of the 4th International Conference on Computer AidedVerification (CAV 1992), volume 663 of Lecture Notes in Computer Sci-ence, pages 178–191. Springer-Verlag, 1993.

P. Godefroid, G. J. Holzmann, and D. Pirottin. State-space caching revisited.Formal Methods in System Design, 7(3):227–241, 1995.

Y. Gurevich and L. Harrington. Trees, automata, and games. In Proceedingsof the 14th Annual ACM Symposium on Theory of Computing (STOC1982), pages 60–65. Association for Computing Machinery, 1982.

S. Gurumurthy, F. Somenzi, and R. Bloem. Fair simulation minimization.In Proceedings of the 14th International Conference on Computer AidedVerification (CAV 2002), volume 2404 of Lecture Notes in Computer Sci-ence, pages 610–624. Springer-Verlag, 2002.

M. Hammer, A. Knapp, and S. Merz. Truly on-the-fly LTL model check-ing. In Proceedings of the 11th International Conference on Tools andAlgorithms for the Construction and Analysis of Systems (TACAS 2005),volume 3440 of Lecture Notes in Computer Science, pages 191–205.Springer-Verlag, 2005.

G. J. Holzmann. Tracing protocols. AT&T Technical Journal, 64(10):2413–2433, 1985.

G. J. Holzmann. On limits and possibilities of automated protocol analysis.In Proceedings of the IFIP WG6.1 7th International Conference on Proto-col Specification, Testing and Verification (PSTV 1987), pages 339–344.North-Holland, 1987.

G. J. Holzmann. An improved protocol reachability analysis technique. Soft-ware – Practice and Experience, 18(2):137–161, 1988.

G. J. Holzmann, D. Peled, and M. Yannakakis. On nested depth first search.In Proceedings of the 2nd SPIN Workshop (SPIN 1997), volume 32 ofDIMACS Series in Discrete Mathematics and Theoretical Computer Sci-ence. American Mathematical Society, 1997.

A. Isli. Mapping an LPTL formula into a Büchi alternating automaton ac-cepting its models. In Temporal Logic: Proceedings of the ICTL Work-shop, pages 85–90. Research Report MPI-I-94-230, Max-Planck-Institut fürInformatik, 1994.

A. Isli. Converting a Büchi alternating automaton to a usual nondeterminis-tic one. Sadhana – Academy Proceedings in Engineering Sciences, 21(2):213–228, 1996.

BIBLIOGRAPHY 221

Y. Kesten, Z. Manna, H. McGuire, and A. Pnueli. A decision algorithm forfull propositional temporal logic. In Proceedings of the 5th InternationalConference on Computer Aided Verification (CAV 1993), volume 697of Lecture Notes in Computer Science, pages 97–109. Springer-Verlag,1993.

Y. Kesten, A. Pnueli, and L. Raviv. Algorithmic verification of linear tem-poral logic specifications. In Proceedings of the 25th International Collo-quium on Automata, Languages and Programming (ICALP 1998), volume1443 of Lecture Notes in Computer Science, pages 1–16. Springer-Verlag,1998.

D. Kozen. On parallelism in Turing machines. In Proceedings of the 17thAnnual Symposium on Foundations of Computer Science (FOCS 1976),pages 89–97. IEEE Computer Society, 1976.

O. Kupferman, N. Piterman, and M. Y. Vardi. Extended temporal logic revis-ited. In Proceedings of the 12th International Conference on ConcurrencyTheory (CONCUR 2001), volume 2154 of Lecture Notes in ComputerScience, pages 519–535. Springer-Verlag, 2001.

O. Kupferman and M. Y. Vardi. On the complexity of branching modularmodel checking. In Proceedings of the 6th International Conference onConcurrency Theory (CONCUR 1995), volume 962 of Lecture Notes inComputer Science, pages 408–422. Springer-Verlag, 1995.

O. Kupferman and M. Y. Vardi. Weak alternating automata are not that weak.In Proceedings of the 5th Israel Symposium on Theory of Computing andSystems (ISTCS 1997), pages 147–158. IEEE Computer Society, 1997.

O. Kupferman and M. Y. Vardi. An automata-theoretic approach to modu-lar model checking. ACM Transactions on Programming Languages andSystems, 22(1):87–128, 2000.

O. Kupferman and M. Y. Vardi. Weak alternating automata are not that weak.ACM Transactions on Computational Logic, 2(3):408–429, 2001.

O. Kupferman and M. Y. Vardi. From complementation to certification.In Proceedings of the 10th International Conference on Tools and Al-gorithms for the Construction and Analysis of Systems (TACAS 2004),volume 2988 of Lecture Notes in Computer Science, pages 591–606.Springer-Verlag, 2004.

O. Kupferman, M. Y. Vardi, and P. Wolper. An automata-theoretic approachto branching-time model checking. Journal of the ACM, 47(2):312–360,2000.

F. Laroussinie, N. Markey, and Ph. Schnoebelen. Temporal logic with for-gettable past. In Proceedings of the 17th IEEE Symposium on Logic inComputer Science (LICS 2002), pages 383–392. IEEE Computer Soci-ety, 2002.

222 BIBLIOGRAPHY

T. Latvala. Efficient model checking of safety properties. In Proceedingsof the 10th International SPIN Workshop on Model Checking Software(SPIN 2003), volume 2648 of Lecture Notes in Computer Science, pages74–88. Springer-Verlag, 2003.

T. Latvala and K. Heljanko. Coping with strong fairness – On-the-fly empti-ness checking for Streett automata. In Proceedings of the Workshop onConcurrency, Specification and Programming (CS&P 1999), pages 107–118. Warsaw University, 1999.

T. Latvala and K. Heljanko. Coping with strong fairness. Fundamenta Infor-maticae, 43(1–4):175–193, 2000.

E. Leiss. Succinct representation of regular languages by Boolean automata.Theoretical Computer Science, 13(3):323–330, 1981.

O. Lichtenstein and A. Pnueli. Checking that finite state concurrent pro-grams satisfy their linear specification. In Proceedings of the 12th An-nual ACM Symposium on Principles of Programming Languages (POPL1985), pages 97–107. Association for Computing Machinery, 1985.

O. Lichtenstein and A. Pnueli. Propositional temporal logics: Decidabilityand completeness. Logic Journal of the IGPL, 8(1):55–85, 2000.

P. Lindsay. On alternating ω-automata. Journal of Computer and SystemSciences, 36(1):16–24, 1988.

C. Löding. Methods for the Transformation of ω-Automata: Complexity andConnection to Second Order Logic. Diploma thesis, Christian-Albrechts-University of Kiel, 1998.

C. Löding and W. Thomas. Alternating automata and logics over infinitewords. In Proceedings of the IFIP International Conference on Theoreti-cal Computer Science – Exploring New Frontiers of Theoretical Informat-ics (IFIP TCS2000), volume 1872 of Lecture Notes in Computer Science,pages 521–535. Springer-Verlag, 2000.

M. Maidl. The common fragment of CTL and LTL. In Proceedings of the41st Annual Symposium on Foundations of Computer Science (FOCS2000), pages 643–652. IEEE Computer Society, 2000a.

M. Maidl. Using Model Checking for System Verification. Doctoral dis-sertation, Fakultät für Mathematik und Informatik, Ludwig-Maximilians-Universität, München, 2000b.

Z. Manna and A. Pnueli. The Temporal Logic of Reactive and ConcurrentSystems – Specification. Springer-Verlag, 1992.

Z. Manna and H. B. Sipma. Alternating the temporal picture for safety.In Proceedings of the 27th International Colloquium on Automata, Lan-guages and Programming (ICALP 2000), volume 1853 of Lecture Notesin Computer Science, pages 429–450. Springer-Verlag, 2000.

BIBLIOGRAPHY 223

Z. Manna and P. Wolper. Synthesis of communicating processes from tem-poral logic specifications. In Proceedings of the Workshop on Logics ofPrograms 1981, volume 131 of Lecture Notes in Computer Science, pages253–281. Springer-Verlag, 1982.

Z. Manna and P. Wolper. Synthesis of communicating processes from tem-poral logic specifications. ACM Transactions on Programming Languagesand Systems, 6(1):68–93, 1984.

R. McNaughton. Testing and generating infinite sequences by a finite au-tomaton. Information and Control, 9(5):521–530, 1966.

S. Merz and A. Sezgin. Emptiness of linear weak alternating automata. Tech-nical report, LORIA, 2003.

M. Michel. Computation of temporal operators. Logique et Analyse, 28(110–111):137–152, 1985.

S. Miyano and T. Hayashi. Alternating finite automata on ω-words. In Pro-ceedings of the 9th International Colloquium on Trees in Algebra andProgramming (CAAP 1984), pages 195–209. Cambridge University Press,1984a.

S. Miyano and T. Hayashi. Alternating finite automata on ω-words. Theoret-ical Computer Science, 32(3):321–330, 1984b.

D. E. Muller, A. Saoudi, and P. E. Schupp. Alternating automata, the weakmonadic theory of the tree, and its complexity. In Proceedings of the13th International Colloquium on Automata, Languages and Program-ming (ICALP 1986), volume 226 of Lecture Notes in Computer Science,pages 275–283. Springer-Verlag, 1986.

D. E. Muller, A. Saoudi, and P. E. Schupp. Weak alternating automata givea simple explanation of why most temporal and dynamic logics are decid-able in exponential time. In Proceedings of the 3rd Annual Symposiumon Logic in Computer Science (LICS 1988), pages 422–427. IEEE Com-puter Society, 1988.

D. E. Muller, A. Saoudi, and P. E. Schupp. Alternating automata, the weakmonadic theory of trees and its complexity. Theoretical Computer Sci-ence, 97(2):233–244, 1992.

D. E. Muller and P. E. Schupp. Alternating automata on infinite objects,determinacy and Rabin’s theorem. In Automata on Infinite Words, vol-ume 192 of Lecture Notes in Computer Science, pages 100–107. Springer-Verlag, 1985.

D. E. Muller and P. E. Schupp. Alternating automata on infinite trees. The-oretical Computer Science, 54(2–3):267–276, 1987.

D. E. Muller and P. E. Schupp. Simulating alternating tree automata bynondeterministic automata: New results and new proofs of the theoremsof Rabin, McNaughton and Safra. Theoretical Computer Science, 141(1–2):69–107, 1995.

224 BIBLIOGRAPHY

A. Muscholl and I. Walukiewicz. An NP-complete fragment of LTL. In Pro-ceedings of the 8th International Conference on Developments in Lan-guage Theory (DLT 2004), volume 3340 of Lecture Notes in ComputerScience, pages 334–344, 2004.

A. Muscholl and I. Walukiewicz. An NP-complete fragment of LTL. In-ternational Journal of Foundations of Computer Science, 16(4):743–753,2005.

C. Papadimitriou. Computational Complexity. Addison-Wesley, 1994.

R. Pelánek. Typical structural properties of state spaces. In Proceedingsof the 11th International SPIN Workshop on Model Checking Software(SPIN 2004), volume 2989 of Lecture Notes in Computer Science, pages5–22. Springer-Verlag, 2004.

D. Peled. Combining partial order reductions with on-the-fly model-checking. In Proceedings of the 6th International Conference on Com-puter Aided Verification (CAV 1994), volume 818 of Lecture Notes inComputer Science, pages 377–390. Springer-Verlag, 1994.

D. A. Peled. Combining partial order reductions with on-the-fly modelchecking. Formal Methods in System Design, 8(1):39–64, 1996.

D. Perrin and J.-E. Pin. Infinite Words: Automata, Semigroups, Logic andGames, volume 141 of Pure and Applied Mathematics. Elsevier, 2004.

A. Pnueli. The temporal logic of programs. In Proceedings of the 18thAnnual Symposium on Foundations of Computer Science (FOCS 1977),pages 46–57. IEEE Computer Society, 1977.

A. Pnueli. The temporal semantics of concurrent programs. TheoreticalComputer Science, 13(1):45–60, 1981.

J.-P. Queille and J. Sifakis. Specification and verification of concurrent sys-tems in CESAR. In Proceedings of the 5th International Symposium onProgramming, volume 137 of Lecture Notes in Computer Science, pages337–351. Springer-Verlag, 1982.

M. O. Rabin. Decidability of second-order theories and automata on infi-nite trees. Transactions of the American Mathematical Society, 141:1–35,1969.

M. O. Rabin and D. Scott. Finite automata and their decision prob-lems. IBM Journal of Research and Development, 3(2):114–125, 1959.Reprinted (with corrections) in Sequential Machines – Selected Papers,pages 63–91. Addison-Wesley, 1964.

Y. S. Ramakrishna, L. K. Dillon, L. E. Moser, P. M. Melliar-Smith, andG. Kutty. An automata-theoretic decision procedure for future intervallogic. In Proceedings of the 12th Conference on Foundations of SoftwareTechnology and Theoretical Computer Science (FSTTCS 1992), volume652 of Lecture Notes in Computer Science, pages 51–67. Springer-Verlag,1992a.

BIBLIOGRAPHY 225

Y. S. Ramakrishna, P. M. Melliar-Smith, L. E. Moser, L. K. Dillon, andG. Kutty. Interval logics and their decision procedures, part I: An intervallogic. Theoretical Computer Science, 166(1–2):1–47, 1996.

Y. S. Ramakrishna, L. E. Moser, L. K. Dillon, P. M. Melliar-Smith, andG. Kutty. An automata-theoretic decision procedure for propositional tem-poral logic with since and until. Fundamenta Informaticae, 17(3):271–282, 1992b.

G. S. Rohde. Alternating Automata and the Temporal Logic of Ordinals.PhD thesis, University of Illinois at Urbana-Champaign, 1997.

S. Safra. On the complexity of ω-automata. In Proceedings of the 29thAnnual Symposium on Foundations of Computer Science (FOCS 1988),pages 319–327. IEEE Computer Society, 1988.

K. Schneider. Yet another look at LTL model checking. In Proceedings ofthe 10th IFIP WG10.5 Advanced Research Working Conference on Cor-rect Hardware Design and Verification Methods, volume 1703 of LectureNotes in Computer Science, pages 321–325. Springer-Verlag, 1999.

K. Schneider. Improving automata generation for linear temporal logic byconsidering the automaton hierarchy. In Proceedings of the 8th Interna-tional Conference on Logic for Programming, Artificial Intelligence andReasoning (LPAR 2001), volume 2250 of Lecture Notes in Computer Sci-ence, pages 39–54. Springer-Verlag, 2001.

S. Schwoon and J. Esparza. A note on on-the-fly verification algorithms.In Proceedings of the 11th International Conference on Tools and Al-gorithms for the Construction and Analysis of Systems (TACAS 2005),volume 3440 of Lecture Notes in Computer Science, pages 174–190.Springer-Verlag, 2005.

R. Sebastiani and S. Tonetta. “More deterministic” vs. “smaller” Büchi au-tomata for efficient LTL model checking. In Proceedings of the 12th IFIPWG 10.5 Advanced Research Working Conference on Correct HardwareDesign and Verification Methods (CHARME 2003), volume 2860 of Lec-ture Notes in Computer Science, pages 126–140. Springer-Verlag, 2003.

A. P. Sistla and E. M. Clarke. The complexity of propositional linear tempo-ral logics. In Proceedings of the 14th Annual ACM Symposium on Theoryof Computing (STOC 1982), pages 159–168. Association for ComputingMachinery, 1982.

A. P. Sistla and E. M. Clarke. The complexity of propositional linear tempo-ral logics. Journal of the ACM, 32(3):733–749, 1985.

F. Somenzi and R. Bloem. Efficient Büchi automata from LTL formulae.In Proceedings of the 12th International Conference on Computer AidedVerification (CAV 2000), volume 1855 of Lecture Notes in Computer Sci-ence, pages 248–263. Springer-Verlag, 2000.

226 BIBLIOGRAPHY

U. Stern and D. L. Dill. Improved probabilistic verification by hash com-paction. In Proceedings of the IFIP WG 10.5 Advanced Research Work-ing Conference on Correct Hardware Design and Verification Methods(CHARME 1995), volume 987 of Lecture Notes in Computer Science,pages 206–224. Springer-Verlag, 1995.

U. Stern and D. L. Dill. A new scheme for memory-efficient probabilis-tic verification. In Proceedings of the IFIP TC6 WG6.1 Joint Interna-tional Conference on Formal Description Techniques and Protocol Spec-ification, Testing and Verification (FORTE/PSTV 1996), pages 333–348.Kluwer, 1996.

R. S. Streett. Propositional dynamic logic of looping and converse. In Pro-ceedings of the 13th Annual ACM Symposium on Theory of Comput-ing (STOC 1981), pages 375–383. Association for Computing Machinery,1981.

R. S. Streett. Propositional dynamic logic of looping and converse is elemen-tarily decidable. Information and Control, 54(1/2):121–141, 1982.

R. Tarjan. Depth-first search and linear graph algorithms. In ConferenceRecord of the 12th Annual Symposium on Switching and Automata The-ory, pages 114–121. IEEE Computer Society, 1971.

R. E. Tarjan. Depth-first search and linear graph algorithms. SIAM Journalon Computing, 1(2):146–160, 1972.

H. Tauriainen. On translating linear temporal logic into alternating andnondeterministic automata. Research Report A83, Helsinki University ofTechnology, Laboratory for Theoretical Computer Science, 2003.

H. Tauriainen. Nested emptiness search for generalized Büchi automata. InProceedings of the 4th International Conference on Application of Con-currency to System Design (ACSD 2004), pages 165–174. IEEE Com-puter Society, 2004.

H. Tauriainen. A note on the worst-case memory requirements of generalizednested depth-first search. Research Report A96, Helsinki University ofTechnology, Laboratory for Theoretical Computer Science, 2005.

H. Tauriainen. Nested emptiness search for generalized Büchi automata.Fundamenta Informaticae, 70(1–2):127–154, 2006.

H. Tauriainen and K. Heljanko. Testing SPIN’s LTL formula conversion intoBüchi automata with randomly generated input. In Proceedings of the7th International SPIN Workshop on Model Checking Software (SPIN2000), volume 1885 of Lecture Notes in Computer Science, pages 54–72.Springer-Verlag, 2000.

H. Tauriainen and K. Heljanko. Testing LTL formula translation into Büchiautomata. International Journal on Software Tools for Technology Transfer(STTT), 4(1):57–70, 2002.

BIBLIOGRAPHY 227

X. Thirioux. Simple and efficient translation from LTL formulas to Büchi au-tomata. Electronic Notes in Theoretical Computer Science, 66(2), 2002.

W. Thomas. Star-free regular sets of ω-sequences. Information and Control,42(2):148–156, 1979.

W. Thomas. A combinatorial approach to the theory of ω-automata. Infor-mation and Control, 48(3):261–283, 1981.

W. Thomas. Automata on infinite objects. In Handbook of TheoreticalComputer Science: Formal Models and Semantics, volume B, pages 133–191. Elsevier, 1990.

W. Thomas. Languages, automata, and logic. In Handbook of Formal Lan-guages, volume III, pages 389–455. Springer-Verlag, 1997.

W. Thomas. Complementation of Büchi automata revisited. In Jewels areForever: Contributions on Theoretical Computer Science in Honor ofArto Salomaa, pages 109–120. Springer-Verlag, 1999.

A. Valmari. The state explosion problem. In Lectures on Petri Nets I: BasicModels, volume 1491 of Lecture Notes in Computer Science, pages 429–528. Springer-Verlag, 1998.

M. Y. Vardi. A temporal fixpoint calculus. In Proceedings of the 15th An-nual ACM Symposium on Principles of Programming Languages (POPL1988), pages 250–259. Association for Computing Machinery, 1988.

M. Y. Vardi. Nontraditional applications of automata theory. In Proceedingsof the International Conference on Theoretical Aspects of Computer Soft-ware (TACS 1994), volume 789 of Lecture Notes in Computer Science,pages 575–597, 1994.

M. Y. Vardi. Alternating automata and program verification. In ComputerScience Today – Recent Trends and Developments, volume 1000 of Lec-ture Notes in Computer Science, pages 471–485. Springer-Verlag, 1995.

M. Y. Vardi. An automata-theoretic approach to linear temporal logic. InLogics for Concurrency: Structure versus Automata, volume 1043 of Lec-ture Notes in Computer Science, pages 238–266. Springer-Verlag, 1996.

M. Y. Vardi and P. Wolper. An automata-theoretic approach to automaticprogram verification. In Proceedings of the Symposium on Logic in Com-puter Science (LICS 1986), pages 332–344. IEEE Computer Society,1986.

M. Y. Vardi and P. Wolper. Reasoning about infinite computations. Informa-tion and Computation, 115(1):1–37, 1994.

P. Wolper. Temporal logic can be more expressive. In Proceedings of the22nd Annual Symposium on Foundations of Computer Science (FOCS1981), pages 340–348. IEEE Computer Society, 1981.

228 BIBLIOGRAPHY

P. Wolper. Temporal logic can be more expressive. Information and Control,56(1–2):72–99, 1983.

P. Wolper. The tableau method for temporal logic: An overview. Logique etAnalyse, 28(110–111):119–136, 1985.

P. Wolper. On the relation of programs and computations to models of tem-poral logic. In Temporal Logic in Specification, volume 398 of LectureNotes in Computer Science, pages 75–123. Springer-Verlag, 1987.

P. Wolper. Constructing automata from temporal logic formulas: A tuto-rial. In Lectures on Formal Methods and Performance Analysis: FirstEEF/Euro Summer School on Trends in Computer Science, Revised Lec-tures, volume 2090 of Lecture Notes in Computer Science, pages 261–277. Springer-Verlag, 2001.

P. Wolper and D. Leroy. Reliable hashing without collision detection. InProceedings of the 5th International Conference on Computer Aided Ver-ification (CAV 1993), volume 697 of Lecture Notes in Computer Science,pages 59–70. Springer-Verlag, 1993.

P. Wolper, M. Y. Vardi, and A. P. Sistla. Reasoning about infinite computa-tion paths. In Proceedings of the 24th Annual Symposium on Foundationsof Computer Science (FOCS 1983), pages 185–194. IEEE Computer So-ciety, 1983.

BIBLIOGRAPHY 229

HELSINKI UNIVERSITY OF TECHNOLOGY LABORATORY FOR THEORETICAL COMPUTER SCIENCE

RESEARCH REPORTS

HUT-TCS-A91 Mikko Sarela

Measuring the Effects of Mobility on Reactive Ad Hoc Routing Protocols. May 2004.

HUT-TCS-A92 Timo Latvala, Armin Biere, Keijo Heljanko, Tommi Junttila

Simple Bounded LTL Model Checking. July 2004.

HUT-TCS-A93 Tuomo Pyhala

Specification-Based Test Selection in Formal Conformance Testing. August 2004.

HUT-TCS-A94 Petteri Kaski

Algorithms for Classification of Combinatorial Objects. June 2005.

HUT-TCS-A95 Timo Latvala

Automata-Theoretic and Bounded Model Checking for Linear Temporal Logic. August 2005.

HUT-TCS-A96 Heikki Tauriainen

A Note on the Worst-Case Memory Requirements of Generalized Nested Depth-First Search.

September 2005.

HUT-TCS-A97 Toni Jussila

On Bounded Model Checking of Asynchronous Systems. October 2005.

HUT-TCS-A98 Antti Autere

Extensions and Applications of the A∗ Algorithm. November 2005.

HUT-TCS-A99 Misa Keinanen

Solving Boolean Equation Systems. November 2005.

HUT-TCS-A100 Antti E. J. Hyvarinen

SATU: A System for Distributed Propositional Satisfiability Checking in Computational

Grids. February 2006.

HUT-TCS-A101 Jori Dubrovin

Jumbala — An Action Language for UML State Machines. March 2006.

HUT-TCS-A102 Satu Elisa Schaeffer

Algorithms for Nonuniform Networks. April 2006.

HUT-TCS-A103 Janne Lundberg

A Wireless Multicast Delivery Architecture for Mobile Terminals. May 2006.

HUT-TCS-A104 Heikki Tauriainen

Automata and Linear Temporal Logic: Translations with Transition-Based Acceptance.

September 2006.

ISBN 951-22-8343-3

ISSN 1457-7615

automata and linear temporal logic: translations with...

Documents